Hi Splunk Ninjas,
we have different web portals for different purposes. I categorize them as internal and external web portal.
now under the cs_host field I have different values but both type of values are pointing as one web portal
for example.
cs_host=www.abc.com dvc/host= 1.2.3.4(External)
cs_host=abc.com dvc/host= 1.2.3.4(Internal)
cs_host=abc dvc/host= 1.2.3.4(Internal)
cs_host=www.xyz.com dvc/host= 1.2.3.4(External)
cs_host=xyz.com dvc/host= 1.2.3.4(Internal)
cs_host=xyz dvc/host= 1.2.3.4(External)
the idea comes in my mind to segerate them based on either internal OR external
so if the cs_host=www.abc.com OR cs_host=www.xyz.com
then there should be another field name web_portal=external
and if cs_host=abc.com|abc OR cs_host=xyz|xyz.com
the the cs_host values should become abc|xyz.
↧