*Hello
I have a populating search of:
index=api host=*XXX* requestURI="/xxx/xx/xxx/*" xyz=true | rename clientIP AS clientip | lookup dnslookup clientip OUTPUT clienthost | transaction transactionId maxspan=10s | search "Inbound" OR "Outbound" | eval Proc=if(proc = "null", "NONE", proc) | stats count by Proc
the search returns logs like:
2016-12-07 12:00:38,285 INFO MessageProcessor-123 com.domain.platform.stuff.stuff - className=CookieBasedAuthHandler method=handleRequest js_request=true requestURI=/xxx/xxx/v3/123456789?mode=tools&ucm=true&proc=null requestMethod=GET transactionId=123456789 token_validation_status=success
2016-12-07 12:00:38,290 DEBUG PassThroughMessageProcessor-386 org.wso2.carbon.api.gateway.stuff.stuff.ExtensionHandler - Inbound API call from client to gateway: appName=Application , userName=email@domain.com , transactionId=123456789, requestURI=/xxx/xxx/xx/123456789?mode=tools&ucm=true&proc=null , requestTime=Wed Dec 07 12:00:38 UTC 2016 , clientIP=xxx.xx.xxx
2016-12-07 12:00:38,301 DEBUG MessageProcessor-347 org.wso2.carbon.api.gateway.stuff.stuff - Outbound API call from gateway to client: appName=Application , userName=email@domain.com , transactionId=123456789, requestURI=/xxx/xxx/xx/123456789?mode=tools&ucm=true&proc=null , requestTime=Wed Dec 07 12:00:38 UTC 2016 , statusCode=200 , EndPointURL=http://api-xxx.xxx.com/catalog-xxx/xx/xxxx
the field proc
is what I would like to use in the dropdown. Currently its always the value of the literal "null" but will eventually be other values.
In the top search I eval'd the proc field, just to make sure what I was doing was working. So if proc
was the literal null
change it to NONE
and if not use the value of proc
which works but ideally I'd like to not use the eval.
Proc count
NONE 259
but the dropdown never populates with this value.
Hers the dropdown code:
<label>PROC</label>
<search>
<query>index=api host=*XXX* requestURI="/xxx/xx/xxx/*" ucm=true | rename clientIP AS clientip | lookup dnslookup clientip OUTPUT clienthost | transaction transactionId maxspan=10s | search "Inbound" OR "Outbound" | eval Proc=if(proc = "null", "NONE", proc) | stats count by Proc</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<fieldForLabel>ProcName</fieldForLabel>
<fieldForValue>ProcName</fieldForValue>
</input>
Add the following to the end of your query
... | rename Proc as ProcName | table ProcName
Add the following to the end of your query
... | rename Proc as ProcName | table ProcName
Yes indeed that worked. So this was an issue with me not using the fieldForLabel or fieldForValue? So really it was creating the search and assigning the value to the fieldForValue field?
Yes, the field you want to use in the dropdown needs to match the value in fieldForValue, I pretty much always use the same field for "fieldForLabel" as you did.
I knew it was something easy I was missing, just needed some new eyes.
thanks!
No problem. Glad to be helpful.