Solved: How to group hosts for reporting?

the_wolverine · ‎11-09-2010

I have hundreds of hosts within a tier and would like to combine those hosts for the purposes of reporting. For example, I have the following hosts:

web001.mydomain.com
web002
web003
web004
...
web999

I'd like to report all web hosts as web_tier. So I can run a report for users who access hosts in the web_tier. How can I do this?

chris · ‎11-09-2010

Hi

We have a DB that stores this type of information at our company and we use lookups to add that kind of information to our events.

I guess you could try this eval, and use the tier field for your report:

| eval tier=replace(source,"\d\d\d","_tier")

But I'm guessing that this is probably not what you're looking for.

Chris

chris · ‎11-09-2010

Hi

We have a DB that stores this type of information at our company and we use lookups to add that kind of information to our events.

I guess you could try this eval, and use the tier field for your report:

| eval tier=replace(source,"\d\d\d","_tier")

But I'm guessing that this is probably not what you're looking for.

Chris

araitz · ‎11-10-2010

Another way to do this: ... | replace web* with web_tier in host | ...

chris · ‎11-10-2010

I'm glad if that helped

the_wolverine · ‎11-10-2010

Yes, Chris! This is what I needed! I used the following syntax to match multiple patterns:

| eval tier=replace(host,"(\d\d\d.mydomain.com|\d+.sub.mydomain.com)","_tier")

How to group hosts for reporting?