Hello Everyone,
I have dashboard with token value as datacenter, which has 3 options from dropdown:
Dublin ="*dbl_dc_01*"
Singapore= "*sing_dc_01*"
Both = "*" (this is incorrect for my requirement.. i know)
Currently I am plotting the line chart graph based on the search when
$datacenter$ Dublin is selected using the below search query:
(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits"
$datacenter$ Singapore is selected:
(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"
When Both selected - I need that 2 lines to be plotted on that same chart:
From the independent search query, i am able to achieve this using 2 searches with append
(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits" | append [ search (index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"]
How do we get this plotted in the same dashboard when BOTH is selected from drop down
Note: $servicename$ value is generated dynamically based on data centre location
Hi @super_edition,
Could you please try something like below?
(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster=$datacenter$
| search "message.logType"=CLIENT_REQ
| search "message.url"="$servicename$"
| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by openshift_cluster
Hi @super_edition,
Actually because of timechart ... by openshift_cluster you should see different time series for each openshift_cluster. Also there is no sum function.
Could you please check and confirm if you used the search as it is? Including by openshift_cluster?
Hello @scelikok
thanks actually the query shared by you works. I overlooked the last bit of the search hence the confusion.
Hi @super_edition,
Could you please try something like below?
(index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster=$datacenter$
| search "message.logType"=CLIENT_REQ
| search "message.url"="$servicename$"
| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by openshift_cluster
Hello @scelikok
When the given search is executed only 1 line is plotted in line chart using the data which is the sum of dublin and singapore. Not separately. - When the BOTH (whose value is *) is selected from dashboard's dropdown