Hello Everyone,
I am new to base search and need some help from you.
With the help of base search, I want to prepare a dashboard where can get the display of different applications installed in the network respectively. e.g. no of Chrome, Mozilla, Skype , etc in different panels.
Filtering search query likely Product_name = "Chrome" OR Product_name="Skype"
Note: Using -- instead of html tag as it is not allowing while posting this post. Thanks for understanding.
Base query what I have written is:
--search id="product_name>
“index="index_name" (ProductName=#1# OR ProductName=#2# OR ProductName=#3# OR etc.) | dedup host, ProductName | stats count
--/search>
and the main query:
--search base="product_name">
--query> stats count --/query>
--/search>
Basically , where I got stuck is I want the stats count but while filtering product name do I need to mention in the base query or later in the main query and how to do that for different product_name in different dashboard panels referring to base search.
Please help.
Thanks in advance,
Binay Agarwal
First, note that you can post code/xml is readable format using the button on the text format toolbar that looks like two rows of binary numbers. That will give you a text box to enter code. You can also use the back-tick character to wrap code.
Now, getting to your question. It seems like you left some details from your original post. If I interpreted things correct, my guess is you want to display the number of hosts for specific products. Is that correct?
If so, you would want to do the following. Note, you were missing <query></query>
in your base search, and the use of dedup
is unnecessary if you are just counting hosts by ProductName.
<!-- your base search -->
<search id="product_name>
<query>
index="index_name" (ProductName=#1# OR ProductName=#2# OR ProductName=#3# OR etc.)
| stats count by host ProductName
</query>
</search>
<!-- in your skype panel -->
<search base="product_name>
<query>
search ProductName="Skype"
| stats count
</query>
</search>
<!-- in your Chrome panel -->
<search base="product_name>
<query>
search ProductName="Chrome"
| stats count
</query>
</search
@bagarwal - you can use the "code" button - the one that looks like "101 010" - to mark a section of text as "code" so that the system will not mess with your formatting and html-like entries. You could also put a grave accent (looks like this ` ) in front of and after the code, to accomplish the same thing. AND, you can also indent the code with four or more spaces in front of each line, that will also mark it as code. Hmm. There's a couple more ways, but one of those should help you next time you need to post a chunk of code.
First, note that you can post code/xml is readable format using the button on the text format toolbar that looks like two rows of binary numbers. That will give you a text box to enter code. You can also use the back-tick character to wrap code.
Now, getting to your question. It seems like you left some details from your original post. If I interpreted things correct, my guess is you want to display the number of hosts for specific products. Is that correct?
If so, you would want to do the following. Note, you were missing <query></query>
in your base search, and the use of dedup
is unnecessary if you are just counting hosts by ProductName.
<!-- your base search -->
<search id="product_name>
<query>
index="index_name" (ProductName=#1# OR ProductName=#2# OR ProductName=#3# OR etc.)
| stats count by host ProductName
</query>
</search>
<!-- in your skype panel -->
<search base="product_name>
<query>
search ProductName="Skype"
| stats count
</query>
</search>
<!-- in your Chrome panel -->
<search base="product_name>
<query>
search ProductName="Chrome"
| stats count
</query>
</search
Thanks a lot. It works 🙂 🙂
Hi,
Thanks for the valuable input.
I ran my query like this below but somehow result is not coming.
<!-- base search-->
<search id="product_name">
<query>index="index_name" (ProductName="Google Chrome" OR ProductName="Skype") | stats count</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Google Chrome</title>
<search base="product_name">
<query>search ProductName="Google Chrome" | stats count</query>
</search>
</single>
</panel>
</row>
<row>
<panel>
<single>
<title>Skype</title>
<search base="product_name">
<query>search ProductName="Skype" | stats count</query>
</search>
</single>
</panel>
</row>
Not sure where it is missing or where I am doing wrong. If I ran the above base query as normal search I could get the count but when it passes to the query for panel - no result is coming.
Will be really thankful if it can be fixed.
Thanks & Regards,
Binay Agarwal
Try this. You are missing ProductName
and host
in the base search. Your previous post removed those fields when you run stats count
with no by
clause
<search id="product_name">
<query>index="index_name" (ProductName="Google Chrome" OR ProductName="Skype") | stats count by ProductName host</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Google Chrome</title>
<search base="product_name">
<query>search ProductName="Google Chrome" | stats count</query>
</search>
</single>
</panel>
</row>
<row>
<panel>
<single>
<title>Skype</title>
<search base="product_name">
<query>search ProductName="Skype" | stats count</query>
</search>
</single>
</panel>
</row>