topic Re: Can I use icons dynamically without a lookup? Flow Map Viz in All Apps and Add-ons

Can I use icons dynamically without a lookup? Flow Map Viz

bimord — Wed, 30 Sep 2020 04:38:33 GMT

I am trying to use the Flow Viz Map app with dynamic values utilizing the icons but am having...

This is what I have so far (only drawing one 'tablet' OR the 2 'database' elements but not both and no flow is visable):

index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval path=if(like(host,"business%"),"BEL---"+host,"")
| eval node="BEL" how do I add more than one node?
| eval icon=if(match(node,"BEL"),"tablet","database")
| table path node good warn error icon

This second query returns correct results but with no icons:

Any help would be appreciated 🙂

Thank you @chrisyoungerjds for your help - I was able to achieve these results with your help 🙂

Re: Can I use icons dynamically without a lookup? Flow Map Viz

chrisyounger — Mon, 16 Mar 2020 04:19:35 GMT

Hi @Bimord

I can appreciate that this is quite confusing, but you need to output two different "types" of rows. The path rows and the node rows. So your query here is going to create "path rows"

index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| table to from good warn error

So you then need to add on the node rows. One way to do that, is a query like so:

| makeresults
| eval raw = "
node=BEL label=\"My Bel\" icon=users labely=30 height=40  ### 
node=host1 icon=tablet labely=30 height=40  ### 
node=host2 icon=database labely=30 height=40 "
| makemv delim="###" raw
| mvexpand raw 
| rename raw  as  _raw 
| extract
| table node label icon labely height

and finally combine both queries together like so:

index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| append [| makeresults
| eval raw = "node=BEL label=\"My label\" icon=users labely=30 height=40  ### 
    node=host1 icon=tablet labely=30 height=40  ### 
    node=host2 icon=database labely=30 height=40 "
    | makemv delim="###" raw
    | mvexpand raw 
    | rename raw  as  _raw 
    | extract ]
| table to from good warn error node icon labely label height

Hope this helps,
Chris

Re: Can I use icons dynamically without a lookup? Flow Map Viz

bimord — Mon, 16 Mar 2020 04:50:44 GMT

Hi Chris -- Thanks for the speedy response

The problem there is that the names of the hosts are often cycling so can't be hardcoded into a raw like that. Is it possible to do something like

... | eval raw = "node=BEL label=\"My label\" icon=users labely=30 height=40  ### 
 node=" + host + " icon=tablet labely=30 height=40 "

Re: Can I use icons dynamically without a lookup? Flow Map Viz

chrisyounger — Mon, 16 Mar 2020 05:16:56 GMT

Yep sorry I should have given you a better example. Try something like this:

index=main sourcetype="*:application"
 | stats sum(eval(event_severity_code="SUCCESS")) as good
 sum(eval(event_severity_code="ERROR")) as errors
 sum(eval(event_severity_code="WARNING")) as warn by host
 | eval to=host, from="BEL"
 | append [ search index=main sourcetype="*:application" | stats count by host | eval icon = "tablet" | rename host as node | table node icon ]
 | table to from good warn error node icon

Re: Can I use icons dynamically without a lookup? Flow Map Viz

bimord — Mon, 16 Mar 2020 05:21:16 GMT

Thankyou Chris -- this is perfect 🙂

Re: Can I use icons dynamically without a lookup? Flow Map Viz

chrisyounger — Mon, 16 Mar 2020 05:24:17 GMT

Good one. Glad it solved your problem.

Re: Can I use icons dynamically without a lookup? Flow Map Viz

bimord — Mon, 16 Mar 2020 05:27:51 GMT

I used both your solutions in the one to get the output i was hoping for 🙂

index=main sourcetype="*:application" 
      |  stats sum(eval(event_severity_code="SUCCESS")) as good sum(eval(event_severity_code="ERROR")) as errors sum(eval(event_severity_code="WARNING")) as warn by host 
            | eval from=host, to="BEL"
            | append 
              [| makeresults 
                | eval raw = "node=BEL label=\"BEL\" icon=cog" 
                | makemv delim="###" raw 
                | mvexpand raw 
                | rename raw as _raw 
                | extract ] 
            | append 
              [ search index=main sourcetype="*:application" 
                | stats count by host 
                | eval icon = "tablet" 
                | rename host as node 
                | table node icon ] 
            | table to from good warn error node icon label