Hello,
We have a large server farm with applications distributed over a number of different nodes based on load and other factors.
I'd like to set up an automatic Asset Inventory to define which apps are running on which servers based on the web server's access logs. We have this already but it is managed manually and I'd like to automate it.
So far I've come up with the following:
eventtype=pageview |rename root AS App | join Asset [search source=applicationinventory.csv |eval Asset=App | fields + Description, ON_name, Environment] |stats count values(App) by host
The intention is that the above will correlate the data from the "Asset" column in the CSV file with the "root" field in the web logs and associate it with a host. From there, the result should show only the web results that match the data in the Asset field in the CSV file.
Now there's another clause in there - The fields in the web app log might contain extra data. For instance, if the values in the "Asset" column of the CSV contains "AppName" the field in the web app log might contain a value of "00-AppName", or "AppName1234", I need to associate all variants in the Web App Log with the name in the Asset Column of the CSV.
If I can find out how to either narrow down the search to match various variants of the same Asset in the root field, that would be fantastic, and extra awesomeness if I can find out how to correlate the data from both but only show the results matching the names in the CSV file.
Thanks!
Ken
