I have 4 applications. All of them generate events like RECEIVED, DELIVERED and DISCARDED.
In my dashboard, i want to have panel which shows :
Currently these 3 are displayed as 3 different timecharts panels.
I would like to combine them as one single timechart which would reduce the clutter on the dashboard..
Is that possible.? If so how should i frame the query which is efficient.
Event example
{
"log_processed" : {
"message" : { "app_name" : "cs-app1", "logEvent" : "RECEIVED" }
}
}
RECEIVED events
index=dockerlogs
| search log_processed.app_name IN ("cs-app1", "cs-app2","cs-app3")
| spath input=log_processed.message output=logEvent path=logEvent
| search logEvent = "RECEIVED"
| timechart span=1d count(logEvent) by logEvent
DELIVERED events
index=dockerlogs kubernetes.namespace_name=default
| search log_processed.app_name IN ("cs-app4")
| spath input=log_processed.message output=logEvent path=logEvent
| search logEvent = "DELIVERED"
| timechart span=1d count(logEvent) by logEvent
DISCARDED events
index=dockerlogs kubernetes.namespace_name=default
| search log_processed.app_name=*
| spath input=log_processed.message output=logEvent path=logEvent
| search logEvent = "DISCARDED"
| timechart span=1d count(logEvent) by logEvent
Try something like this
| spath input=events output=app_name path=log_processed.message.app_name
| spath input=events output=logEvent path=log_processed.message.logEvent
| where logEvent="DISCARDED" OR (logEvent="DELIVERED" AND app_name="cs-app4") OR (logEvent="RECEIVED" AND app_name!="cs-app4")
| timechart count(eval(match(logEvent,"DISCARDED"))) as discarded, count(eval(match(logEvent,"RECEIVED"))) as received, count(eval(match(logEvent,"DELIVERED"))) as delivered
Try something like this
| spath input=events output=app_name path=log_processed.message.app_name
| spath input=events output=logEvent path=log_processed.message.logEvent
| where logEvent="DISCARDED" OR (logEvent="DELIVERED" AND app_name="cs-app4") OR (logEvent="RECEIVED" AND app_name!="cs-app4")
| timechart count(eval(match(logEvent,"DISCARDED"))) as discarded, count(eval(match(logEvent,"RECEIVED"))) as received, count(eval(match(logEvent,"DELIVERED"))) as delivered