Hi ,
I have a case like this
index=i_prod (MemoryCached* OR MemoryTotal*) (host="vr" OR host="vfr") |table _time host MemoryCached* MemoryTotal*
i am passing host as muliselect token . MemoryCached and MemoryTotal and similar are fields in my index that are also i am fetching using a multiselect token using fieldsummary .
Now , i want to display a table statistics":
coloumns as
host MemoryTotal MemoryCached
Now , the query i am using above displays host as coloumn names but cant present the selected token as coloumn names
I am inteding an output like this
_time host MemoryCached MemoryTotal
2018-11-12 15:30:01 vgax16vr 1876791296 16649756672
2018-11-12 16:00:01 vgax16vr 1878134784 16649756672
2018-11-12 14:15:01 vgax16vr 1867366400 16649756672
2018-11-12 13:30:01 vgax16vr 1880264704 16649756672
2018-11-12 12:45:01 vgax17vr 1280692224 16649756672
2018-11-12 12:15:02 vgax16vr 1870192640 16649756672
@Mohsin123 can you please add a bit more detail to your question? I feel the above output is what your current query should be providing. If not please share current output and expected output. Also share your current query.
index=idx_aprod (SwapFree OR MemoryTotal*) (host="*") source=Apigssor
| table _time host MemoryTotal SwapFree
Problem is :
multiselct tokens:
these are fields : (SwapFree OR MemoryTotal*)
host is a field : (host="")
host i can display as stats table , but when i am passing fields like swap/memory* as tokens how to extract them and display as coloiumn values ...
hope u understand...if u wont mind, can u share your phone number
My results :
_time host MemoryTotal SwapFree
2018-11-13 15:00:02 vgax77vr 16649756672 9793662976
2018-11-13 15:00:02 vgax29vr 16649756672 9746841600
2018-11-13 15:00:01 vgax22vr 16649756672 10090438656
2018-11-13 15:00:02 vgax78vr 16649756672 9784999936
2018-11-13 15:00:01
the results i am getting under host are values for the token host .
but memory* and Swap* are the field names i am [passing as tokens .
And i want to display their values for each host .
is there a way to create a new field for each token ...like $1=memoryfree , $2=swapfree
and i can display | table host $1 $2
we create fields to tokens , here i want to create fields /colomns for each token value
@Mohsin123 seems like the table output in your question is your current search result. Can you show example of expected search result? Also use Code button 101010
to post SPL and data so that special characters do not escape.
@niketnilay
@renjith.nair