Best as always.. I have a doubt.. I have two different indexes.. and response time is in one index is totaltime but in another index it is elapsedtime.. is it possible to make both of them to single field..
How would you do for IP Subnets? For example, I want to map Subnet into following group/zone. 192.168.0.0/24 -> Apache, 192.168.1.0/24 -> DMZ DNS, 10.0.10.0/24 -> DB Cluster. Then after that, Apache & DMZ DNS will be again grouped as External Host and DB Cluster as Internal Host. Can you share reference on how I might be able to do about these two requirements?
well you can create event types for "Apache", "DMZ DNS" and "DB cluster" type events. In the event type query you can use regex command to filter the data. Then you can create those tags on thos event types. community.splunk.com/t5/Splunk-Search/regex-for-event-type/m-p/39888#:~:text=The%20'regex'%20command%20in%20splunk,use%20the%20'rex'%20command.&text=12%3A13%20AM-,You%20can%20create%20an%20event%20type%20based%20on%20a%20search,to%20match%20against%20your%20expression.
Great explanation...specially the difference between event types and tags made it very clear.
Very well explained. Waiting for your CIM video and how it relates to tagging.
Excellent explanation
Best as always.. I have a doubt.. I have two different indexes.. and response time is in one index is totaltime but in another index it is elapsedtime.. is it possible to make both of them to single field..
yes...you can use fieldalias for this kind of purpose.
How would you do for IP Subnets? For example, I want to map Subnet into following group/zone. 192.168.0.0/24 -> Apache, 192.168.1.0/24 -> DMZ DNS, 10.0.10.0/24 -> DB Cluster. Then after that, Apache & DMZ DNS will be again grouped as External Host and DB Cluster as Internal Host. Can you share reference on how I might be able to do about these two requirements?
well you can create event types for "Apache", "DMZ DNS" and "DB cluster" type events. In the event type query you can use regex command to filter the data. Then you can create those tags on thos event types.
community.splunk.com/t5/Splunk-Search/regex-for-event-type/m-p/39888#:~:text=The%20'regex'%20command%20in%20splunk,use%20the%20'rex'%20command.&text=12%3A13%20AM-,You%20can%20create%20an%20event%20type%20based%20on%20a%20search,to%20match%20against%20your%20expression.