Hi, everyone,
I have an old dashboard that I want to convert to the Dashboard Studio format. However, it seems that the new Dashboard Studio does not support the use of prefix, suffix, and delimiter in the same way. Is there any way to achieve the same effect using a search query?
Hi there,
While Studio doesn't directly support prefix, suffix, and delimiter the same way, here are some workarounds using search queries:
1. Concatenate Strings:
Example:
index=_internal | search name="myMetric" | eval combinedValue=concat("prefix_", value, "_suffix", "|")
2. Leverage Panel Formatting:
3. Utilize Calculated Fields:
4. Consider Panel Types:
5. Reference Older Formats:
Remember:
~ If the reply helps, a Karma upvote would be appreciated
HI,
I concatenate strings that I want successfully, but i can't use it to find data when I put the strings into subsearch.
Here's my code below:
index="list" device=C*
| eval x="IPAD,NB,PC"
| eval x=split(x, ",")
| mvexpand x
| eval combine= "device_No=" . x
| stats values(combine) as combine
| eval final_condition = mvjoin(combine, " OR ")
| search final_condition
I would suggest not using mvexpand, as in your example search - in your example you will triple the raw events.
Can you provide a sample of the inputs you want to be able to select
DS makes a multiselect token= a,b,c so you can use this logic in your search that wants to use the token
index=your_index
[
| makeresults
| fields - _time
| eval <your_field_name>=split("$token$", ",")
| mvexpand <your_field_name>
]
How were you using prefix/suffix/delim in your old dashboard?
Hi,
I use a multiselect drilldown input to select items I want to check, so the inputs would be like
"NB, IPhone, Mac, PC", or
"NB, IPhone"
and I want to change inputs into another format like below so I can use it in subsearch:
Device=NB OR Device=IPhone OR Device=Mac OR Device=PC
That's exactly what the subsearch will do. The output of a subsearch is to make
<field>=<value> OR <field>=<value>...
where the results of the subsearch are in a table with field name 'field'. You can see the output of the subsearch just by running the search manually as a normal search and adding
| format
to the end of the search, which is implicit in the subsearch