I am trying to use the Flow Viz Map app with dynamic values utilizing the icons but am having...
This is what I have so far (only drawing one 'tablet' OR the 2 'database' elements but not both and no flow is visable):
index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval path=if(like(host,"business%"),"BEL---"+host,"")
| eval node="BEL" how do I add more than one node?
| eval icon=if(match(node,"BEL"),"tablet","database")
| table path node good warn error icon
This second query returns correct results but with no icons:
index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| table to from good warn error
Any help would be appreciated 🙂
Thank you @chrisyoungerjds for your help - I was able to achieve these results with your help 🙂
Hi @Bimord
I can appreciate that this is quite confusing, but you need to output two different "types" of rows. The path rows and the node rows. So your query here is going to create "path rows"
index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| table to from good warn error
So you then need to add on the node rows. One way to do that, is a query like so:
| makeresults
| eval raw = "
node=BEL label=\"My Bel\" icon=users labely=30 height=40 ###
node=host1 icon=tablet labely=30 height=40 ###
node=host2 icon=database labely=30 height=40 "
| makemv delim="###" raw
| mvexpand raw
| rename raw as _raw
| extract
| table node label icon labely height
and finally combine both queries together like so:
index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| append [| makeresults
| eval raw = "node=BEL label=\"My label\" icon=users labely=30 height=40 ###
node=host1 icon=tablet labely=30 height=40 ###
node=host2 icon=database labely=30 height=40 "
| makemv delim="###" raw
| mvexpand raw
| rename raw as _raw
| extract ]
| table to from good warn error node icon labely label height
Hope this helps,
Chris
Hi @Bimord
I can appreciate that this is quite confusing, but you need to output two different "types" of rows. The path rows and the node rows. So your query here is going to create "path rows"
index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| table to from good warn error
So you then need to add on the node rows. One way to do that, is a query like so:
| makeresults
| eval raw = "
node=BEL label=\"My Bel\" icon=users labely=30 height=40 ###
node=host1 icon=tablet labely=30 height=40 ###
node=host2 icon=database labely=30 height=40 "
| makemv delim="###" raw
| mvexpand raw
| rename raw as _raw
| extract
| table node label icon labely height
and finally combine both queries together like so:
index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| append [| makeresults
| eval raw = "node=BEL label=\"My label\" icon=users labely=30 height=40 ###
node=host1 icon=tablet labely=30 height=40 ###
node=host2 icon=database labely=30 height=40 "
| makemv delim="###" raw
| mvexpand raw
| rename raw as _raw
| extract ]
| table to from good warn error node icon labely label height
Hope this helps,
Chris
Hi Chris -- Thanks for the speedy response
The problem there is that the names of the hosts are often cycling so can't be hardcoded into a raw like that. Is it possible to do something like
... | eval raw = "node=BEL label=\"My label\" icon=users labely=30 height=40 ###
node=" + host + " icon=tablet labely=30 height=40 "
Yep sorry I should have given you a better example. Try something like this:
index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| append [ search index=main sourcetype="*:application" | stats count by host | eval icon = "tablet" | rename host as node | table node icon ]
| table to from good warn error node icon
Thankyou Chris -- this is perfect 🙂
Good one. Glad it solved your problem.
I used both your solutions in the one to get the output i was hoping for 🙂
index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good sum(eval(event_severity_code="ERROR")) as errors sum(eval(event_severity_code="WARNING")) as warn by host
| eval from=host, to="BEL"
| append
[| makeresults
| eval raw = "node=BEL label=\"BEL\" icon=cog"
| makemv delim="###" raw
| mvexpand raw
| rename raw as _raw
| extract ]
| append
[ search index=main sourcetype="*:application"
| stats count by host
| eval icon = "tablet"
| rename host as node
| table node icon ]
| table to from good warn error node icon label