Hi,
We have few appliances spread across various data centers feeding logs into Splunk. Each Data center has 2 or more of such appliances depending on load. Hostname for the device is already an extracted field and is being used to chart individual count.
What I would like to do now, is to combine the results based on DC but the problem is that the DC identifier is part of the hostname and not a separate field. e.g. DC01APP1, DC01APP2, DC02APP1, DC02APP2. Now, instead of listing count for all 4 individually, I'd like to list for "DC01" and "DC02", where "DC01" should contain the aggregate count for DC01(APP1/APP2).
Is there any eval function which might help in achieving this or would i have to extract the DC part again from an existing field?
Many Thanks,
~ Abhi
Yes there is
your base search giving count by hostname | eval hostname=substr(hostname,1,4) | stats sum(count) as count by hostname
You could extract the DC name using rex and then aggregate on the new field. For example,
your base search | rex field=hostname "(?<DC>DC\d\d)" | stats count by DC ...
Yes there is
your base search giving count by hostname | eval hostname=substr(hostname,1,4) | stats sum(count) as count by hostname
Thank you. Exactly what I was looking for.