I have search results like this:
Host---------------Description------------ EventSize
127.0.0.1----------Prod DB---------------- 90
127.0.0.2----------Trade Service---------- 34
I need remove "Description" field from visualization (for chart like "EventSize by Host"), but don't remove this field from search results. How can i do that?
Thanks.
UPD.
It isn't dashboard, so it haven't SIMPLE XML. I use this search for my report:
|inputlookup Source_description #add CSV lookup with Descriptions
|fields Host Description
|join
[search index=_internal source=*license_usage.log type="Usage"
|stats sum(b) as b by h
|eval TotalSizeMB=if(len(b)=0 OR isnull (b), "0.00", round (b/1024/1024,2))
|fields h, TotyalSizeMB
|rename h AS Host ]
|fields Host Description ToyalSizeMB
|sort 5 - TotalSizeMB
And i have this statistics and visualization tabs like this:
You can see that description field useless in chart, but usefull in statistics table.
I can use comand like this: " |eval Host=Host." - ".Description |fields - Description " to merge 2 fields, but it isn't the best solution, because it becomes difficult to read Host field.
So, how can i remove this field from chart, but save it in statistics search?
You can use a post-processing search to generate the chart without the Description.
Assume this is the definition of your table. Note the <search id="base_search>
<table>
<title>...</title
<search id="base_search>
<query>
|inputlookup Source_description #add CSV lookup with Descriptions
|fields Host Description
|join
[search index=_internal source=*license_usage.log type="Usage"
|stats sum(b) as b by h
|eval TotalSizeMB=if(len(b)=0 OR isnull (b), "0.00", round (b/1024/1024,2))
|fields h, TotyalSizeMB
|rename h AS Host ]
|fields Host Description ToyalSizeMB
|sort 5 - TotalSizeMB
</query>
</search>
</table>
Then you can use <search base="base_search">
as a post-processing search to remove that one field.
<chart>
<title>...</title
<search base="base_search">
<query>
fields Host ToyalSizeMB
</query>
</search>
<option name="charting.chart">column</option>
</chart>
You can use a post-processing search to generate the chart without the Description.
Assume this is the definition of your table. Note the <search id="base_search>
<table>
<title>...</title
<search id="base_search>
<query>
|inputlookup Source_description #add CSV lookup with Descriptions
|fields Host Description
|join
[search index=_internal source=*license_usage.log type="Usage"
|stats sum(b) as b by h
|eval TotalSizeMB=if(len(b)=0 OR isnull (b), "0.00", round (b/1024/1024,2))
|fields h, TotyalSizeMB
|rename h AS Host ]
|fields Host Description ToyalSizeMB
|sort 5 - TotalSizeMB
</query>
</search>
</table>
Then you can use <search base="base_search">
as a post-processing search to remove that one field.
<chart>
<title>...</title
<search base="base_search">
<query>
fields Host ToyalSizeMB
</query>
</search>
<option name="charting.chart">column</option>
</chart>
It's nice solution for dashboards, but not for reports (saved searchs). But in any case, thank you! This is the best answer for this moment.
I did not know you needed it for a saved search/report. If that is the case, it would be helpful for you to restate the desired configuration, for example, what fields need to be available where.
I am in a similar situation as was presented in this instance. Suppose we use it and continue on? Is there a way...in saved reports...to 'hide' the field DESCRIPTION in the chart, but still have it present in the table/results?
Hi! I didn't find solution for saved reports. So i have changed this project and now use dasboards instead saved reports.
First panel is "EventSize by Host" chart and second panel is "host, description, EventSize" table.
It's only solution that i found.
Please accept my answer if the gist of it demonstrated how to fix the issue in the case of dashboards
The answer depends on the type of visualization you are using, and why you need the Description field to stay in the results.
Can you share some of you SimpleXML that would clarify those two things?
Thanks for reply. I added to post all information.
Like this?
index=whatever
| fields Host, Description, EventSize
| table Host, EventSize
Skalli
Edit: With your search of course.
Thanks for reply, but it doesn't work. Table command remove "description" field from statistics tab in search result. Any ideas?