We have some timecharts that display information collected by Server_IP, using searches similar to this
... | timechart sum(Bytes) by Server_IP
The problem is the IP values are reasonably meaningless to the people using this chart, so we'd like to display the hostname of the server associated with the IP. We've looked at the "charting.legend.labels" property but that is a statically defined list of values, and depending on time range selection and other values the list of IPs being displayed will change, as will the order of the IPs. So we are looking for a way to do what amounts to a lookup of each IP into a table that returns the Hostname, and use the Hostname as the label displayed in the legend. Can this be done?
You can do either:
Perform the lookup before the aggregation (i.e., before timechart):
... | lookup iptoname Server_IP OUTPUT Server_Name | timechart sum(Bytes) by Server_Name
Use stats as the aggregator , and do it after stats
... | bucket _time | stats sum(Bytes) by _time Server_IP | lookup iptoname Server_IP OUTPUT Server_Name | xyseries _time Server_Name sum(Bytes)
since you can replicate timechart <function> by <field>
using bucket _time | stats <function> by _time <field> | xyseries _time <field> <function>
Are the host values not correct in the host field? Then it would just be
... | timechart sum(bytes) by host
I see. Can you add the host name to the summary index? If not, you can do a lookup but you will first need to populate a csv file with the IP, hostname pairs. If you still have the raw data this should be straight forward to do with the outputcsv command. This approach has its limitations as it only works well when the IPs and hostnames are not terribly dynamic.
The data must be collected by IP, which winds up in summary indexes in a field called "Server_IP". Therefore we are stuck with trying to transform the IP into the corresponding server name when displaying the legends.