Hi,
I'm trying to create a table that contains a list of tasks. The list is static and stored in a lookup table called tasks.csv.
So far I have the following search:
index=one OR index=two | rex field=_raw "^[0-9-:.\s]*\w+\s+(?<task>.*)" | stats count by task
| search [|inputlookup tasks.csv ]
This creates me a table that looks like this:
task | count |
task_a | 1 |
task_b | 1 |
task_c | 1 |
task_d | 1 |
However, if a task in my static list does not appear in the search results, it does not show in the table.
I want the table to contain the whole list of tasks, regardless of whether they appear in the search results or not.
i.e.
task | count |
task_a | 1 |
task_b | 1 |
task_c | 1 |
task_d | 1 |
task_e | 0 |
task_f | 0 |
Any ideas on how I can do this?
The closest I've got is using a join.. which does work, but does not allow for a wildcard, meaning I'd need to specify the whole 'task'.
|inputlookup tasks.csv
| join type=left task [ | search index=one OR index=two | rex field=_raw "^[0-9-:.\s]*\w+\s+(?<task>.*)" | stats count by task]
| fillnull value=0 task
| table task count
Would appreciate any thoughts or suggestions.
Thanks in advance.
index=one OR index=two | rex field=_raw "^[0-9-:.\s]*\w+\s+(?<task>.*)" | stats count as index_count by task
| eval location = 1
| append
[|inputlookup tasks.csv | eval location = 2 ]
| stats sum(location) as location by task
| fillnull value=0 index_count
If location = 1, the task is in the indexes but not in the lookup
If location = 2, the task is in the lookup but not in the indexes
If location = 3, the task is in both the lookup and the indexes
Thanks for the quick reply!
I've also added the following to the end:
| search location=3 OR location=2
| eval status=if(location=2,"Waiting...","Completed")
| table message status
This now lists all of my defined tasks and tells me whether the task has run or not, based on whether the event is returned by the search.
How do include wildcards?
The task from my indexed data looks like this: "task_a has run successfully with return code x after y minutes"
My lookup task is simply "task_a has run successfully"
So I'd like the search to allow for task_a has run successfully*
Change your rex so that only the first part is extracted into task
| rex field=_raw "^[0-9-:.\s]*\w+\s+(?<task>.* has run succesfully)"