hi
I use the search below in a chart panel
`CPU`
| fields process_cpu_used_percent host process_name
| where process_cpu_used_percent>50
| eval host=upper(host)
| dedup host process_name
| eval process_name=case(process_name like "mfev%", "mfev", process_name like "mcdatrep", "mcdatrep", process_name=="mcshield", "mcshield", process_name=="amupdate", "amupdate", process_name=="McScript_InUse","McScript_InUse", process_name=="macompatsvc", "macompatsvc", process_name=="FrameworkService","FrameworkService", process_name=="McScanCheck", "McScanCheck", process_name=="Sysmon", "Sysmon")
| stats count(host) as Total by process_name
| sort -Total
I have added a dropdown list in order to filter by process_name
<input type="dropdown" token="tok_filterprocess" searchWhenChanged="true">
<label>Filter by Process</label>
<default>*</default>
<initialValue>*</initialValue>
<choice value="McAFEE">McAFEE</choice>
All service you can see in my search concerns the "McAFEE" process
Even if i have added process_name=$tok_filterprocess$ in my search I dont know how to link all these services with the choice value "McAFEE"
Could you help me please?
Hi,
the way I understand your challenge, you try to map a set of process_name values to a "group" named "McAFEE". Such a way that when you select "McAFEE" in the dropdown, only see those process_name values in your table that are associated with McAFEE.
If this is, what you would like to do, the solution is a lookup table (process_group.csv) in a format like such:
process_name, process_group
"mcshield","McAFEE"
"amupdate","McAFEE"
...
Add the map to your search and select the matching fields:
...| dedup host process_name | lookup process_group.csv process_name | search process_group="$tok_filterprocess$" | ...
Hope it helps
Oliver
Hi,
the way I understand your challenge, you try to map a set of process_name values to a "group" named "McAFEE". Such a way that when you select "McAFEE" in the dropdown, only see those process_name values in your table that are associated with McAFEE.
If this is, what you would like to do, the solution is a lookup table (process_group.csv) in a format like such:
process_name, process_group
"mcshield","McAFEE"
"amupdate","McAFEE"
...
Add the map to your search and select the matching fields:
...| dedup host process_name | lookup process_group.csv process_name | search process_group="$tok_filterprocess$" | ...
Hope it helps
Oliver
hi oliver, thanks for your proposal
but do you think is mandatory to do that with a lookup or there is another solution?
i would prefer without lookup...
Hi, IMHO lookup is the fastest and most efficient way. You could use case
statements, which make the code look clumsy and hard to maintain in a non-trivial setting. If you would like to use an index instead of .csv, you could index the map and do a ...| join type=inner process_name [ search index=yourindex process_group=$tok_filterprocess$ | table process_name, process_group] | ...
in your search, adding some overhead and complexity. Alas, if you use the "inner" join, you can leave out the additional search
that selects the matched processes, as this is implicitly being done in the join. Oliver
thanks for all