I have a situation where I want to report on events from 2 sets of servers where i can compare the aggregate counts. I want all the results grouped into 2 tallies. In other words...
I want to do some timechart and other stats reports that have the tallies for the events labeled / displayed as Group A and Group B - not all the individual servers as would be the case with the "host=xxxxx"scenario. Can this be done?
TIA!
The replace command should let you get the results you want.
http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/Replace
Splunk Blogs has a walk through:
http://blogs.splunk.com/2014/05/22/using-the-replace-command-granular-details-are-great-but-i-need-a...