So my base Query to check sell is below:-
index=myapp sourcetype=my_sourcetype host="*myhost*" "Logger*" AND "sold event" vertical=H
Now, I need to write an efficient and fast query which shows cluster-wise sell?
like my_host1 - my_host3 is cluster 1
AND my_host4 - my_host6 is cluster 2
AND my_host7 - my_host9 is cluster 3
Okay, you've almost got it. One problem you are running into now is probably because you are using incorrect syntax for your comparisons.
When you are running a search, you can use * at the end of a literal to tell splunk to match anything else that follows.
| search host="myhost_01*"
However, that comparison is not valid as a normal boolean test. In a boolean, you need to use one of the eval functions such aslike(variable,SQLPattern)
or match(variable,RegexPattern)
, as per this...
| eval cluster=case(like(host,"my_host01%"), "FirstValue", ... )
...or this...
| eval cluster=case(match(host,"my_host01.*"), "FirstValue", ... )
Can you write eval:
| eval cluster=case(host=host1 OR host=host2 OR host=host3, "cluster1") and so on...
@p_gurav Thank you.
do I need to write eval in new line for each cluster? My requirement is actually something like below with base search query.
| timechart partial=f span=15m count as current_count
| streamstats window=10 current=f avg(current_count) as trend
| eval cluster=case(host=my_host01* OR host=my_host02 OR host=my_host03*, "cluster1")
| eval cluster=case(host=my_host04* OR host=my_host05* OR host=my_host06*, "cluster2")
| eval cluster=case(host=my_host07* OR host=my_host08 OR host=my_host09, "cluster3")
| eval trend=round(trend)
| eval difference=current_count-trend
| eval diff_percent=round((difference)/trend*100)
| eval hr=strftime(_time, "%H")
| table _time trend current_count difference diff_percent
sorry I am not an expert in Splunk and learning basic of it. Thank you.
You can write one eval:
index=myapp sourcetype=my_sourcetype host="myhost" "Logger*" AND "sold event" vertical=H
| timechart partial=f span=15m count as current_count
| streamstats window=10 current=f avg(current_count) as trend
| eval cluster=case(host=my_host01* OR host=my_host02* OR host=my_host03*, "cluster1", host=my_host04* OR host=my_host05* OR host=my_host06*, "cluster2", host=my_host07* OR host=my_host08 OR host=my_host09, "cluster3")
| eval trend=round(trend)
| eval difference=current_count-trend
| eval diff_percent=round(difference/trend*100)
| eval hr=strftime(_time, "%H")
| table _time trend current_count difference diff_percent cluster
@p_gurav
getting error: "Error in 'eval' command: The expression is malformed. Expected )"
checked the query but didn't see anything is missing
Hi,
host is a string just change your first eval to - eval cluster=case(host="my_host01*" OR host="my_host02*" OR host="my_host03*", "cluster1", host="my_host04*" OR host="my_host05*" OR host="my_host06*", "cluster2", host="my_host07*" OR host="my_host08" OR host="my_host09", "cluster3")
Thank you @Sukisen1981