Hi Team,
We have created a dashboard and passing the device number from the form input token to the dashboard panel, it works properly when passing the device number but when we pass (*) wildcard character, we get an error message " Error in 'rename' command: Wildcard mismatch", when we use the rename command like this "rename abc* as mcd* it show the number of columns for all the device number. However, we want to show only 5 columns
For example : We get correct data when we pass the device number but when we pass * wildcard character it increases the device numbers columns
Time | Device_Number | Router_Model | Router_Name |
10.30 | abc123 | ABC1234 | Cisco123 |
11.30 | abc123 | DEF1234 | Cisco1234 |
12.30 | abc123 | EFG1234 | Cisco567 |
1.30 | abc123 | CDE1234 | Cisco789 |
When passing wildcard character in the query:
Time | abc123_Device_Number | def123_Device_Number | ghi123_Device_Number | abc123_Router_Model | def123_Router_Model | ghi123_Router_Model | abc123_Router_Name | def123_Router_Name | ghi_Router_Name |
10.30 | abc123 | def123 | ghi123 | ABC1234 | NCFMM_Cisco | AGBDVDMM_Cisco | Cisco | Netgear | Netgear |
11.30 | abc123 | def123 | ghi123 | CDE3434 | NCFMM_Cisco | AGACJJBCJM_Cisco | Netgear | Netgear | Netgear |
12.30 | abc123 | def123 | ghi123 | GHI1233 | NCFNNM_Cisco | AGAGDNM_Cisco | Cisco | Netgear | Netgear |
1.30 | abc123 | def123 | ghi123 | LEF1232 | NCDDMM_Cisco | AGABDBDMM_Cisco | Cisco | Cisco | Cisco |
2.30 | abc123 | def123 | ghi123 | HDDF112 | NCDDM_Cisco | AGAGBBM_Cisco | Netgear | Netgear | Netgear |
when passing wildcard character from the token then using in the rename increases the columns, when normally passing token without wildcard it is proper, can we wildcard in such a way that columns count don't increase.
Thanks in advance for the help!
when you pass value with wildcard from form input then wildcard might match more than one field. all fields will have different set of values. your requirement is to rename matching fields to one field. what about values of more than one matching field, which field values would you want to display. for example, if you want to sum matched field1,field2,field3 from field* then that is possible ( I have just given example).
I want all the values of the field to display in under one common fields instead of having multiple fields.
Here is an example to help you understand better.
Time | abc123_Device_Number | Router_Model | Router_Name |
10.30 | abc123 | ABC1234 | Cisco |
11.30 | abc123 | CDE3434 | Netgear |
12.30 | abc123 | GHI1233 | Cisco |
1.30 | abc123 | LEF1232 | Cisco |
2.30 | abc123 | HDDF112 | Netgear |
3.30 | def123 | NCFMM_Cisco | NCFMM_Cisco |
4.30 | def123 | NCFMM_Cisco | NCFMM_Cisco |
5.30 | def123 | NCFNNM_Cisco | NCFNNM_Cisco |
6.30 | def123 | NCDDMM_Cisco | NCDDMM_Cisco |
7.30 | def123 | NCDDM_Cisco | NCDDM_Cisco |
if you rename multiple matched fields to one field then what about values of multiple fields renamed to one?
I believe you should use token starting of the search to format the results the way you want rather just renaming at the end.
I didn't get it.
We are passing token through form input text, when passing values it works fine but when passing wildcard character there is an issue. We want to have the same format.
Obviously you will see more matches when you use wildcard. make sure you get relevant fields when you use wild card. if you need more help, post you query here and explain more.
We don't need more columns.
Here is a sample query:
index=abc_test sourcetype="tomcatlog"
| rex "\"(?<deviceSN>[-\w]*)\" max_match=20
| rex "(?<json1>{.*})"
| spath input=jsontest
| eval time=strftime(_time,"%F %T.%3N %Z")
| sort 0 - _time
| rename number.$tokenvalue$.setting.fields{}.test{}.x AS test_x numbers.$tokenvalue$.setting.fields{}.test{}.y AS test_y router.$tokenvalue$.fields.names.areas{}.area AS areas_a router.$tokenvalue$.fields.settings.router{}.model AS model_a
It works fine when passing the serial number but it doesn't work when passing wildcard character.
So we had to format the rename command using wildcard but it increases the columns but we want the columns to remain intact