Our splunk implementation has SERVERNAME as a preset field, and there are servers in different locations, but there is no location field. How can I count errors by location? I envision something like this but cannot find a way to implement:
index=some_index "some search criteria"
| eval PODNAME="ONTARIO" if SERVERNAME IN ({list of servernames})
| eval PODNAME="GEORGIA" if SERVERNAME IN ({list of servernames})
| timechart span=30min count by PODNAME
Any ideas?
You have the right idea. Here's how to do that in SPL.
index=some_index "some search criteria"
| eval PODNAME=case(in(SERVERNAME, {list of servernames}), "ONTARIO",
in(SERVERNAME, {list of servernames}), "GEORGIA",
1==1, "unknown" )
| timechart span=30min count by PODNAME
There's a better way, though, since the above doesn't scale well with many locations and may become hard to maintain if the code is used in many places. Use a lookup table.
Create a CSV file with SERVERNAME and PODNAME columns then use the lookup to map server name to location.
index=some_index "some search criteria"
| lookup serverlocation.csv SERVERNAME OUTPUT PODNAME
| timechart span=30min count by PODNAME