I'm trying to create a new field that can populate multiple values based on another field's values. in this case i have a field called host, where there are 20 virtual servers listed. but, i want to separate them out by say, their "location" based on the host name alone.
for example:
new field hostLocation
host1, host2, host3, host4, host5, =northServers
host6, host7, host8, host9, host10, =southServers
host11, host12, host13, host14, host15, = westServers
host16, host17, host18, host19, host20, =eastServers
So if i were to run
index=foo source=bar
| stats count by hostLocation
would return log counts for the four defined host locations. ive tried various types of eval statements, but this case has more that just 2 outcomes.
thank you in advance!
... View more