topic Re: How to match 2 data sets in JSON events using one common field in Dashboards & Visualizations

How to match 2 data sets in JSON events using one common field

anooshac — Tue, 23 Apr 2024 06:34:31 GMT

Hi All,

I have created a dashboard for JSON data. There are 2 sets of data in same index.

One is Info.metadata{} and another one is Info.runtime_data{} under same index as different events.

But both of the events have one common field that is "Info.Title".

How can i combine these 2 events?

Re: How to match 2 data sets in JSON events using one common field

ITWhisperer — Tue, 23 Apr 2024 06:39:47 GMT

There are a number of possibilities but probably the best way would be to use stats values() by Info.Title.

Re: How to match 2 data sets in JSON events using one common field

bowesmana — Tue, 23 Apr 2024 06:41:16 GMT

A bit more information would be useful, but this is a start and is the general technique for combining two data types on a common field

index=bla | stats values(*) as * by Info.Title

Re: How to match 2 data sets in JSON events using one common field

anooshac — Tue, 23 Apr 2024 09:46:20 GMT

@ITWhisperer,I have used stats and i was able to match the data.

I want to do one more implementation. I want to se t token based on the availability of Info.runtime_data{}. For every event there will not be Info.runtime_data{}. I want to set a token if Info.runtime_data{} is present in the event of Info.Title, if not present i want to unset that token. I have tried it in the search query using if condition. But i am not able to implement it in the dashboard.

<search> <query> index="abc" sourcetype="abc" Info.Title="$Title$" |spath output=Runtime_data path=Info.runtime_data | eval has_runtime = if(isnotnull(Runtime_data), "Yes", "No") | table _time, has_runtime </query> <done> <condition match="has_runtime=Yes"> <set token="tok_runtime">true</set> </condition> <condition match="has_runtime=No"> <unset token="tok_runtime"></unset> </condition> </done> </search>

This is my code, i am not sure the Condition match is correct or not. But im not able to set or unset the token. Please suggest me anything.

Re: How to match 2 data sets in JSON events using one common field

ITWhisperer — Tue, 23 Apr 2024 10:15:54 GMT

In the done handler, you only have access to the first row of the results, so you would only be able to set a token based on the first result. Is this what you are actually trying to do?

Re: How to match 2 data sets in JSON events using one common field

anooshac — Tue, 23 Apr 2024 10:45:18 GMT

@ITWhisperer, yes im trying to set a token based on the value has_runtime. Since i want to show some charts only if that particular data is present. For this i am trying to create a token so that i can use this to show or hide the charts.

Re: How to match 2 data sets in JSON events using one common field

ITWhisperer — Tue, 23 Apr 2024 13:08:12 GMT

In that case you could rework your search so that it has either zero or 1 row depending on whether the condition is met, and set your token based on the number of results returned.

Re: How to match 2 data sets in JSON events using one common field

bowesmana — Wed, 24 Apr 2024 00:32:27 GMT

As @ITWhisperer you only have access to the first result of the table in the <done> clause, but assuming you only have a single result then you can set the token based on that very simply using <eval>

<done> <eval token="tok_runtime">if($result.has_runtime$="Yes", "true", null())</eval> </done>

If you have multiple results, then this would work

<search> <query> index="abc" sourcetype="abc" Info.Title="$Title$" |spath output=Runtime_data path=Info.runtime_data | eval has_runtime = if(isnotnull(Runtime_data), 1, 0) | table _time, has_runtime | eventstats max(has_runtime) as has_runtime </query> <done> <eval token="tok_runtime">if($result.has_runtime$>0, "true", null())</eval> </done> </search>

Re: How to match 2 data sets in JSON events using one common field

anooshac — Wed, 24 Apr 2024 04:17:24 GMT

@ITWhisperer , i considered 1,0 and and put condition like this. But still i am not able to set the token. Is this implementation correct?

Re: How to match 2 data sets in JSON events using one common field

bowesmana — Wed, 24 Apr 2024 07:06:20 GMT

@anooshacno it's not, you need to look at the $result.has_runtime$ token - see my example

Re: How to match 2 data sets in JSON events using one common field

ITWhisperer — Wed, 24 Apr 2024 07:53:28 GMT

You have not shown anything that indicates that the search has the value you are seeking on the first row of your results. Please share your search and follow @bowesmana's suggestion about which token to use to retrieve the results.