topic Re: How to trim the last line from query in Dashboards & Visualizations

How to trim the last line from query

avni26 — Mon, 29 Jul 2019 17:54:50 GMT

Hi ,
I am passing my search query in token using $job.search$, want to remove the last line from the query.
For example , my query is
index="idx2" report="ABC" | table number,description,description,group,sev ,closurec, created, state, closed_date | timechart count by state
So , I want to evaluate/pass only below in defined token
index="idx2" report="ABC" | table number,description,description,group,sev ,closurec, created, state, closed_date
Please let me know , how to remove the line after last occurrence of pipe"|" and retain all things before it.

Re: How to trim the last line from query

richgalloway — Mon, 29 Jul 2019 18:17:15 GMT

It's not clear at what point you want to change $job.search$, but you may be able to use rex.

... | eval search=$job.search$ | rex field=search "(?<token>.*)\|" | ...

Re: How to trim the last line from query

jacobpevans — Mon, 29 Jul 2019 18:46:28 GMT

Adding to @richgalloway 's answer, the full regex would look like this:

| makeresults
| eval job.search="index=\"idx2\" report=\"ABC\" | table number,description,description,group,sev ,closurec, created, state, closed_date | timechart count by state"
| rex  field=job.search "(?<search>.*)\s*\|[^\|]+"

(?<search>.*)\s*\|[^\|]+
(?<search>.*) - Grab everything .* in the job.search field and assign it to the new field search
\s*\|[^\|]+ - Match anything with any number of spaces \s followed by a pipe | followed by any number of non-pipe characters [^\|]+. Since they are not within the parentheses, all matching characters are discarded.

You could also force it to match the timechart command:

| makeresults
| eval job.search="index=\"idx2\" report=\"ABC\" | table number,description,description,group,sev ,closurec, created, state, closed_date | timechart count by state"
| rex  field=job.search "(?<search>.*)\s*\|\s*timechart[^\|]+"

Re: How to trim the last line from query

avni26 — Mon, 29 Jul 2019 18:59:56 GMT

@richgalloway wanted this for drilldown to open in new window. For this I am passing whole search query in one token to drilldown. But facing challenge when query conatins stats/timechart at the end.

Re: How to trim the last line from query

avni26 — Mon, 29 Jul 2019 19:07:09 GMT

I am trying something like this inside the search query, but Its not working

replace($job.search$,"\[|\]|\"","")

Re: How to trim the last line from query

richgalloway — Mon, 29 Jul 2019 19:40:45 GMT

Try editing the token as part of the drilldown. Edit the source dashboard's source and you'll see something like this:

<drilldown>
  <link target="_blank">search?q=$job.search$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
</drilldown>

A little-known feature of Simple XML is the ability to modify tokens before invoking the drilldown. I haven't done a lot with this feature, so I'm not sure of all it can do or even if it can do what is below. Experiment and let us know how it goes.

<drilldown>
  <eval token="job_search">$job.search$</eval>
  <eval token="srch">rex field=$job_search$ "(?<srch>.*)\|"</eval>
  <link target="_blank">search?q=index=$srch$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
</drilldown>

Re: How to trim the last line from query

avni26 — Tue, 30 Jul 2019 11:10:06 GMT

@richgalloway
Thank you for your response. It not worked. After using rex field, drilldown coming like below
rex field=search index="idx2" report="ABC" | table number,description,description,group,sev ,closurec, created, state, closed_date | timechart count by state "(?.*)|"
Please suggest.

Re: How to trim the last line from query

richgalloway — Tue, 30 Jul 2019 14:04:42 GMT

What does your <drilldown> paragraph look like?

Re: How to trim the last line from query

avni26 — Tue, 30 Jul 2019 16:07:41 GMT

@richgalloway Please see below.

<search>
 <query>index="idx2" report="ABC" | table 
  number,description,description,group,sev,closurec, created, state, closed_date
  |stats count by state                 
  </query>
  <set token="job_search">$job.search$</set>
  <set token="srch">rex field=$job_search$ "(?.*)\|"</set>
 </search>
 <option name="drilldown">cell</option>
 <drilldown>
  <link target="_blank">search?q=$srch$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$&amp;form.sel_group=$sel_group$&amp;;display.page.search.mode=smart&amp;dispatch.sample_ratio=1%0A&amp;workload_pool=&amp;display.page.search.tab=statistics&amp;display.general.type=statistics
 </drilldown>

Re: How to trim the last line from query

richgalloway — Tue, 30 Jul 2019 16:48:16 GMT

Have you tried the code from my answer? The code that uses <eval token... and not <set token...? The eval and set options do different things.

Re: How to trim the last line from query

avni26 — Wed, 31 Jul 2019 07:12:43 GMT

Yes , that also not worked. 😞