I'm trying to create a new field that can populate multiple values based on another field's values. in this case i have a field called host, where there are 20 virtual servers listed. but, i want to separate them out by say, their "location" based on the host name alone.
for example:
new field hostLocation
host1, host2, host3, host4, host5, =northServers
host6, host7, host8, host9, host10, =southServers
host11, host12, host13, host14, host15, = westServers
host16, host17, host18, host19, host20, =eastServers
So if i were to run
index=foo source=bar
| stats count by hostLocation
would return log counts for the four defined host locations. ive tried various types of eval statements, but this case has more that just 2 outcomes.
thank you in advance!
| eval hostLocation=case(host=="host1" OR host=="host2" OR host=="host3", "northServers",
host=="host6" OR host=="host7" OR host=="host8", "southServers",
host=="host11" OR host=="host12" OR host=="host13", "westServers")
I left out some data just because the above illustrates the methodology. You are not limited to two cases when using the case()
eval function.
Another option is to tag your hosts with this metadata. Then you can just use the tag for filtering/aggregation.
| eval hostLocation=case(host=="host1" OR host=="host2" OR host=="host3", "northServers",
host=="host6" OR host=="host7" OR host=="host8", "southServers",
host=="host11" OR host=="host12" OR host=="host13", "westServers")
I left out some data just because the above illustrates the methodology. You are not limited to two cases when using the case()
eval function.
Another option is to tag your hosts with this metadata. Then you can just use the tag for filtering/aggregation.