This field is called 'Name' and contains around 10000 sever names, I am trying to use an eval formula to create a column to identify the vpvms of the following server name nadcvpvms04b.hca.corpad.net
I am a very new Splunk user I have tried everything and for the life of me can not get this to work and I am sure it is something easy.
This is what I have so far
The case statement I tried
| eval Physical Host Type=case(match(Name,"(?i)\p{Ll}vpvms"),"ESX Host")
and the if statement I tried
| eval Physical Host Type=if(match(Name,"(?i)\p{Ll}vpvms"),"ESX Host","")
I don't understand exactly what you need but surely it is something like this:
| rex field=Name "(?i)pvms(?<Physical_Host_Type>\d+)"
It will be better to give exact answer if you provide 1 or 2 lines of logs.
Thanks
I think it is easier then you think.
| eval Physical_Host_Type = case(match(Name,"(?i)vpvms"),"ESX Host",1==1,"None")
This is better for two reasons: Field names should NOT have spaces in them, it can be done, just not recommended. And the "1==1" is your always true statement, so you can filter out those that don't match later on. I have tested this on a different pattern, and it worked.
@alacercogitatus I tried your statement with no luck, I have provided a table of the data below. Those CI Names with vpvms I would like to have ESX show up in the Physical_Host_Type
CI Name Physical_Host_Type
ordcwpdbsaasc1b None
ordcvzvms01f None
ordcvpvms02c None
ordcvzvms01d None
nadcvpvms03a None
I appreciate the help
Based on your table there, is your field actually called Name
or is it actually 'CI Name'
?
@acharlieh Field Name is 'Name' Sorry about that
I don't understand exactly what you need but surely it is something like this:
| rex field=Name "(?i)pvms(?<Physical_Host_Type>\d+)"
That is not even a valid command. Please revise.
Sorry, skip the eval
!