Hi I have a search which is returning the tags in the display, the tags work as I report on these tags in all of our searchs. Can anyone see anything specific in the search which would stop tags from working? (This does not work even when I take our the rename and the field also reports as blank in the search results)
index="os" tag::host=*Jets* | rename tag::host as environment | multikv fields PID COMMAND ARGS | search COMMAND="jrr*" ARGS !=*getStates* | stats max(_time), min(_time) by PID, ARGS, host | rename max(_time) as max | rename min(_time) as min | eval end=max | eval start=min | convert timeformat="%d/%m/%y %H:%M:%S.%l" ctime(start) | convert timeformat="%d/%m/%y %H:%M:%S.%l" ctime(end) | eval uptime=max-min | eval hour=floor(uptime/3600) | eval minute=floor((uptime-(hour*3600))/60) | eval seconds=uptime-(hour*3600)-(minute*60) | strcat hour ":" minute ":" seconds duration | rex field=ARGS "-[a-zA-Z\.\=\/\_\-\:0-9\,]*.BootIdentityFile=servers\/(?<instance>[a-z0-9]*)\/data" | sort host, instance, PID | eval now=time() | eval diff=floor(now-max-180) | eval diff=if(diff<=0,0,diff) | eval status=diff | fillnull value=admin instance | replace 0 with "RUNNING" in status | replace "1" with RUNNING in status | eval status=if(isint(status),"PID NOT UP",status) | eval hours2=floor(diff/3600) | eval mins2=floor((diff-(hours2*3600))/60) | eval seconds2=diff-(hours2*3600)-(mins2*60) | dedup host, instance | strcat hours2 " Hours " mins2 " minutes " seconds2 " seconds" downTime| fields host, environment, instance, PID, start, end, duration, status, downTime | rename duration as Up_time
Wow. That's quite a search command!
After reading this a few times, I think I see your issue. The environment
field is being dropped by your stats
command. You are keeping host, but that does not keep the tag::host
field. You could fix this by including tag::host
in your list of grouping fields (the by
clause), but I suggest using the tags
command instead....
Try using this:
| stats ... | tags host | rename tag::host as environment
If you don't mind, here are a few other comments on way to slightly simplify your search. None of this is major stuff, but you may find one of these helpful.
stats
command.So this:
| stats max(_time), min(_time) by PID, ARGS, host | rename max(_time) as max | rename min(_time) as min
Could be written as:
| stats max(_time) as max, min(_time) as min by PID, ARGS, host
The convert
command can do multiple conversions at once. So could could combine them both as:
| convert timeformat="%d/%m/%y %H:%M:%S.%l" ctime(start) ctime(end)
I noticed that your regular expression in the rex
command has a bunch of unnecessary escape sequences.
| rex field=ARGS "-[a-zA-Z.=/_:0-9,-]*.BootIdentityFile=servers/(?<instance>[a-z0-9]*)/data"
(Note that I moved the "-" to the end of your character range matching. Otherwise the "-" gets seen as a character range definition rather than the literal character "-". If you are used to perl or awk, sometimes you do need a bunch of extra backslashes, but they aren't necessary as part of the regex itself, so you don't need them here.)
replace
operations in one command.So this:
| replace 0 with "RUNNING" in status | replace "1" with RUNNING in status
could be written as:
| replace "0" with "RUNNING", "1" with RUNNING in status
On a second look, perhaps you may want to replace all three of your status renaming commands and use a single eval
command using the case
statement. I'm not sure what's best, but it may be something to consider.
That's it. You have quite an impressive search going on and perhaps one or two of these ideas will help keep it more manageable. (BTW, I haven't tested any of these, so I'd only try making one change at a time.)
Best of luck!
Wow. That's quite a search command!
After reading this a few times, I think I see your issue. The environment
field is being dropped by your stats
command. You are keeping host, but that does not keep the tag::host
field. You could fix this by including tag::host
in your list of grouping fields (the by
clause), but I suggest using the tags
command instead....
Try using this:
| stats ... | tags host | rename tag::host as environment
If you don't mind, here are a few other comments on way to slightly simplify your search. None of this is major stuff, but you may find one of these helpful.
stats
command.So this:
| stats max(_time), min(_time) by PID, ARGS, host | rename max(_time) as max | rename min(_time) as min
Could be written as:
| stats max(_time) as max, min(_time) as min by PID, ARGS, host
The convert
command can do multiple conversions at once. So could could combine them both as:
| convert timeformat="%d/%m/%y %H:%M:%S.%l" ctime(start) ctime(end)
I noticed that your regular expression in the rex
command has a bunch of unnecessary escape sequences.
| rex field=ARGS "-[a-zA-Z.=/_:0-9,-]*.BootIdentityFile=servers/(?<instance>[a-z0-9]*)/data"
(Note that I moved the "-" to the end of your character range matching. Otherwise the "-" gets seen as a character range definition rather than the literal character "-". If you are used to perl or awk, sometimes you do need a bunch of extra backslashes, but they aren't necessary as part of the regex itself, so you don't need them here.)
replace
operations in one command.So this:
| replace 0 with "RUNNING" in status | replace "1" with RUNNING in status
could be written as:
| replace "0" with "RUNNING", "1" with RUNNING in status
On a second look, perhaps you may want to replace all three of your status renaming commands and use a single eval
command using the case
statement. I'm not sure what's best, but it may be something to consider.
That's it. You have quite an impressive search going on and perhaps one or two of these ideas will help keep it more manageable. (BTW, I haven't tested any of these, so I'd only try making one change at a time.)
Best of luck!
Thanks I missed that in the search, also thanks for the useful tips in reducing the search text 🙂