I'm trying to do an OS inventory from Active Directory. My results look something like this:
operatingSystem------------------------------ count
Windows 7 Enterprise -----------------------27
Windows 7 Professional---------------------3
Windows Server 2008 R2 Datacenter---100
Windows Server 2008 R2 Enterprise----24
Windows Server 2008 R2 Standard-----3
Windows Server 2012 Datacenter-------54
Windows Server 2012 R2 Datacenter---102
Windows Server® 2008 Datacenter-----11
And this is what I want:
operatingSystem -----------count
Windows 7---------------------30
Windows Server 2008-----138
Windows Server 2012-----156
I can't figure out how to rename and combine the fields to give me the data in this way. Any suggestions?
Try this:
your search here
| eval operatingSystem = case (
match(operatingSystem, "Windows 7"), "Windows 7",
match(operatingSystem, "Windows Server 2008"), "Windows Server 2008",
match(operatingSystem, "Windows Server 2012"), "Windows Server 2012",
1 == 1, "Other"
)
| stats sum(count) as count by operatingSystem
Try this:
your search here
| eval operatingSystem = case (
match(operatingSystem, "Windows 7"), "Windows 7",
match(operatingSystem, "Windows Server 2008"), "Windows Server 2008",
match(operatingSystem, "Windows Server 2012"), "Windows Server 2012",
1 == 1, "Other"
)
| stats sum(count) as count by operatingSystem
It would be good to include a default case value, to help validate that every possible OS string has been taken care of.
This works great! If is there a way to allow the "Other" values to continue to display what they are, instead of showing them as "Other"? For example, if I have one OSX box, let it show as OSX instead of Other.
Yes, simply do:
your search here
| eval operatingSystem = case (
match(operatingSystem, "Windows 7"), "Windows 7",
match(operatingSystem, "Windows Server 2008"), "Windows Server 2008",
match(operatingSystem, "Windows Server 2012"), "Windows Server 2012",
1 == 1, operatingSystem
)
| stats sum(count) as count by operatingSystem
Thanks Again!
True. Just fixed my answer to reflect that.