Hello!
I have an index with events that have a status
field. They come in the index in real time. I have a dashboard with a timechart and here I want to plot two series based on the selected input above. This input is a dropdown list consisting of:
status
field (extracted with a search)all
and having the value *
In the timechart, I want to have two series, as follows:
AND
the value is not not found
Until now, I have the following query:
index="my_events"
| makemv delim="," status
| eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)
| timechart
count(_raw) as "All events"
sum(matching) as "Matching events"
This search works for all the values, but not for the all
one. If I select all
, the "matching" series will always be 0. I tried to use LIKE
or a combination between eval
and search
but I could not get the desired results.
How can I achieve the above described behavior? Where is the mistake in my query or how can I improve it?
Thanks!
Edit:
I also have a panel with a single value to show only the matching events from the previous hour. It looks like this:
earliest=-1h latest=now() index="my_events"
| makemv delim="," status
| search status!="not found"
| search status="$sourcetype_tok$"
| timechart span=1h count
I want to say that this is working (maybe because *
in combination with search
works different).
Change your all
value in the dropdown to .+
. and change this line:
| eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)
To this:
| eval matching=if(status!="not found" AND match(status, "$status_tok$"), 1, 0)
The problem is that the *
character is a wildcard with search
but a string literal with eval
and where
.
This is the right idea, but match
expects a regular expression and "*" is not valid regex. I think this will do it
| eval token=if($status_tok$="*", ".*", $status_tok$) | | eval matching=if(status!="not found" AND match(status, 'token'), 1, 0)
No, see the first part of my sentence about changing to .+
; that's where the RegEx is.
You can try:
index="my_events"
| makemv delim="," status
| eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)
| timechart
count as "All events"
sum(matching) as "Matching events"