All Apps and Add-ons

Avoid a Really Long Case Statement

michaudel
Explorer

hello,
So i have this crazy query and i know there has to be a better way to do this, just not sure what it might be. Quick explanation of the query, the first section is simply filtering down the syslogs to only look at specific entries. Then i use some regex to pull out my fields because the log format keeps changing so i haven't had time to actually create fields. In my regex i create this field called appgr for app group. ms is milliseconds based on a response time. datacenter is which of many data centers.

So here is where the problem comes in, in order to chart the app groups by data center I end up having a crazy case statement for each app group. Which of course there are lots off. I was trying to think if there was a way to just loop through appgroup values? Not sure.

I guess in short, ultimately i would like to timechart the 90th percentile for milliseconds by data center and app group.

Hopefully it makes sense, thanks, Ethan

index=network sourcetype="syslog" "Security Zone:" "Application:" origin NOT .gif NOT *.png NOT *.js NOT *.css | dedup raw | rex "(?i) Member:(\s|)(?P[^\s^]{0,250})" | rex "(?i)Time:\s(?P[^\s^ms]{0,250})" | rex "^.?Member:.*_(?P[^\s]{0,250})\s.*Time:" | eval DC_case=case(datacenter = "foo" AND appgr="appgrpbar", "DCfoo_appgrpbar", datacenter = "foo2" AND appgr="appgrbar", "DCfoo2_appgrbar",datacenter = "foo" AND appgr="appgrpbar1", "DCfoo_appgrpbar1", datacenter = "foo1" AND appgr="appgrpbar1", "DCfoo1_appgrpbar1", datacenter = "foo" AND appgr="appgrpbar2", "DCfoo_appgrpbar2", datacenter = "foo1" AND appgr="appgrpbar2", "DCfoo1_appgrpbar2", datacenter = "foo" AND appgr="appgrpbar3", "DCfoo_appgrpbar3") | timechart span=20s perc90(ms) by DC_case

0 Karma
1 Solution

jonuwz
Influencer

Souds like a classic use for lookups : link

I'm guessing that the example you posted is simplified, otherwise

eval DC_case = "DC".datacenter."_".appgrp

would do the trick

View solution in original post

0 Karma

jonuwz
Influencer

Souds like a classic use for lookups : link

I'm guessing that the example you posted is simplified, otherwise

eval DC_case = "DC".datacenter."_".appgrp

would do the trick

0 Karma

michaudel
Explorer

Didn't even think of that thanks.

So the logic on my example is the same. The problem is the fields return values like 1234 which mean Data Center A. So I was using the case statement to make "friendly" names, if I simply string them together with "DC".datacenter."_".appgrp the problem is it would like DC3456_apA, which unfortunately doesn't mean much to our operations partners.

Lookups work perfect though, I created a quick test and it is does exactly what i need. Thanks for the help, Ethan

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...