Limited Search to 2 Categories

jaywilwk · ‎07-17-2014

The search below is taking anything that contains IBC Allow in the category and repurposing it to a new Category. Only thing is, I'm not able to capture the IBC Allows stuff as well from the category and repurpose it to the new Category. How can I accomplish this?

index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | search Category=IBC | timechart per_second(eval(round(if(Category="IBC",src_bytes,0)*8/1024/1024,2))) AS IBC_Traffic_Mb by GW

jaywilwk · ‎07-18-2014

If I run this it will return results back for IBC Allow and IBC Allows.

somesoni2 · ‎07-18-2014

If you run following, does it returns rows with category="IBC Allow" only or both?

index=proxysg sourcetype=proxysg category="IBC Allow*"

jaywilwk · ‎07-18-2014

It didn't work. It's still not capturing the IBC Allows. It's only capturing IBC Allow.

somesoni2 · ‎07-17-2014

Per definition of LIKE it should [ like(category,"IBC Allow%") where % is wildcard character]. Try the search that I provided earlier and see if that's matching both 'IBC Allow' and 'IBC Allows'

jaywilwk · ‎07-17-2014

the like condition isn't capturing IBC Allow and IBC Allows; it's only capturing IBC Allow. I've done a search to compare the results and it's not capturing both. It's only capturing IBC Allow.

somesoni2 · ‎07-17-2014

Well with condition 'like(category,"IBC Allow%")', it's capturing 'IBC Allow' 'IBC Allows' etc basically anything that starts with 'IBC Allow'. To capture other categories, you need to added conditions for those as well (e.g. category="IBC Allow*" OR category="softwhitelist" OR category="shopping"). If the no of categories to be included is high but categories to be excluded is small, you can use 'NOT' to exclude them instead of providing big inclusion list.

wpreston · ‎07-17-2014

How about:

index=proxysg sourcetype=proxysg | eval Category=if(category like "IBC All%", "IBC","Non-IBC") | ...rest of your search...

jaywilwk · ‎07-17-2014

In the Category field with a capital "C", there are multiple categories for instance: IBC Allow, IBC Allows, Non-IBC, softwhitelist, shopping, etc... What I'm trying to do is grab all of the IBC Allow and IBC Allows stuff and put them into one category. My current search only grabs IBC Allow; it doesn't grab both of them.

somesoni2 · ‎07-17-2014

Based on the filters you've applied, I guess the search cab be simplified as follow:

index=proxysg sourcetype=proxysg category="IBC Allow*" | timechart per_second(eval(round(src_bytes*8/1024/1024,2))) AS IBC_Traffic_Mb by GW

What do you mean by " capture the IBC Allows stuff as well from the category"? There are some special information present in field category which you want to display?

reed_kelly · ‎07-17-2014

Your search would be simpler and more efficient if you started it with:

index=proxysg sourcetype=proxysg Category="IBC Allow*"

Then the subsequent search would not be necessary.

It's not clear to me exactly what you are trying to do.

Limited Search to 2 Categories

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk