Splunk Search

Splunk replace host name with application name in search query

ravinder82
New Member

Hi Team,

I am new to Splunk portal. I have to search on multiple hosts for HTTP hits and display the result in single graph by application names hosted on the hosts. Not to display hostname.

Query is
host="*" source="/home/abc/tomcat/logs/localhost_access_log.txt" | chart count over host by date_wday | fields host monday tuesday wednesday thursday friday saturday sunday

This query displays HTTP traffic by hostanme. But i want to replace the hostname with respective application name.

Wanna show the application name instead of hostname on graph with http counts

Looking forward for your help
Thanks

Tags (1)
0 Karma

linu1988
Champion

Hello Ravi,
if you have your appname extracted then,
host="*" source="/home/abc/tomcat/logs/localhost_access_log.txt"|timechart count(application) by _time should work for you on dashboard. _time can replaced according to your requirement by other date fields.

Make a query and see on search app if its giving you the desired result or you may need to tweak a bit.

0 Karma

kml_uvce
Builder

if application name is in a field or is in data coming from hosts then you can extract field of application.
If both the above case are not then make lookup file with host and respective application column. and use application name in search.

0 Karma

linu1988
Champion

Yes you can put replace command , but count it first then apply the case/replace command. You can do a column chart to show your stats. Thanks

e.g.
host="*" source="/home/abc/tomcat/logs/app_error_log.txt" chart count by host| eval teamname=case(host="1234", "abc", host="5678", "def") |fields teamname,count

0 Karma

ravinder82
New Member

Hi Team,

I did not have application name in the application error logs (cant be extracted.

Please help if using replace .... with or case functionality i can display the name of application inplace of host name.

host="*" source="/home/abc/tomcat/logs/app_error_log.txt" | eval teamname=case(host="1234", "abc", host="5678", "def") |chart count by teamname

Thanks,
Ravinder

0 Karma

ravinder82
New Member

Thanks Kml, for the response.

I extracted the field but dont know how to fit that filed in query. i have extracted it as appname.

Can you please help me to get this in query with respective to the hostname

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...