- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I edit my search to sort performance logs f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to write a search that will look at performance logs for my servers, putting the data from one set of servers into one bin, and everything else into a second bin.
Here's my attempt:
index=myindex sourcetype=performance_file ExecutionTime | eval category=(host="host1" OR host="host2" OR host="host3" OR host="host4", "SpecialServers", host!="host1" AND host!="host2" AND host!="host3" AND host!="host4", "OtherServers") | timechart span=1m avg(resptime) by category
I'm surprised by the error I'm getting:
Error in 'eval' command: The expression is malformed. Expected ).
Am I on the right track at all? I'm a bit of a rookie at advanced queries like this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try This
index=myindex sourcetype=performance_file ExecutionTime | eval category=if(host="host1" OR host="host2" OR host="host3" OR host="host4", "SpecialServers", "OtherServers") | timechart span=1m avg(resptime) by category
You were on the right track but I just modified your eval to use an if statement.
Here is the link with the syntax for if statements and many others.
http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonevalfunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You forgot the "case" and the double =
eval category = case(host ...
take a look at example 11 here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No need for a case if he just wants 2 groups of items. If he wanted 3 or more then a case statement would work better than an if statement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
True. I didn't notice there were just two groups. Just saw a long eval and "assumed" there were more.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup I did the same thing until I read through his query 🙂 All good.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try This
index=myindex sourcetype=performance_file ExecutionTime | eval category=if(host="host1" OR host="host2" OR host="host3" OR host="host4", "SpecialServers", "OtherServers") | timechart span=1m avg(resptime) by category
You were on the right track but I just modified your eval to use an if statement.
Here is the link with the syntax for if statements and many others.
http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonevalfunctions
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
