Solved: Is it possible to merge searches with same index b...

arshiarshi · ‎08-05-2022

Hello,

I have two searches with same index but different host names. Is it possible to have the results of both the searches in a dropdown in a dashboard so that the result appears in a table as per the selection of the host name?

Both the searches have different field names. Can someone guide me on this please?

Thanks in advance.

Arshi.

gcusello · ‎08-08-2022

Hi @arshiarshi,

yes, it's possible, you have two solutions tocustomize your dropdown:

if the association between index and fieldname is fixed and it has few values, you could use this solution:

    <input type="dropdown" token="my_token">
      <label>Hostname</label>
      <choice value="indexA">CPI</choice>
      <choice value="indexB">Mule</choice>
      <prefix>index=</prefix>
    </input>

In this way, using the hostname=CPI, you choose index=IndexA, if you choose hostname=Mule, you choose index=indexB.

then in your search, you can use $my_token$ as main search.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎08-05-2022

Hi @arshiarshi,

you have to rename hone of the fields to have the same field name, e.g. something like this:

if the hostname in indexA is hostnameA and the hostname in indexB is hostnameB,

index=indexA OR index=indexB
| eval hostname=coalesce(lower(hostnameA),lower(hostnameB))
| stats hostname

Ciao.

Giuseppe

arshiarshi · ‎08-08-2022

Hi @gcusello ,

Thanks for your reply. But it is showing some error in the stats command, i think it is expecting something else along with stats command.

Furthermore, to explain in detail

This is my table from indexA

and this is my table from indexB

I have more headings than pasted above.

I think I need to rename the column headings of indexB as per IndexA.

What i want is that the table with indexA should appear and i can switch the data inside the table when i select it for indexB, since i have renamed the field name of indexB similar to indexA. Is there a way i can filter the host name to see the data inside the table?

Thankyou

Arshi

gcusello · ‎08-08-2022

Hi @arshiarshi,

at first, avoid to use dots in field or index names so you don't need quotes.

then don't use quotes in coalesce.

Anyway, the problem is the stats command, you should use:

| stats BY hostname

Ciao.

Giuseppe

arshiarshi · ‎08-08-2022

Hi @gcusello ,

Thanks for your reply,

i am getting the below output

It is not showing my data anywhere. it is showing the stats of count, min, mean, median etc.

Thanks

Arshi

gcusello · ‎08-08-2022

Hi @arshiarshi,

you can display the calculations you want adding them to the stats command:

| stats max(field1) AS max_field1 avg(field2) AS avg_field2 BY hostname

in other words, you can add to the stats command all what you need.

ciao.

Giuseppe

arshiarshi · ‎08-08-2022

Hi @gcusello ,

Thank you for your reply.

Actually, I don't want any calculations on any of the fields. I just want to know if there is a way that two different tables can be filtered using host name in a dropdown.

For eg.

This is my dropdown filter

and when I select any hostname one table should update which is having the data from indexA and when another hostname is selected the data with indexB should appear. But, since indexB has different field names, so I have to rename it with similar field names of indexA so that only data inside the table changes.

Thanks

Arshi

gcusello · ‎08-08-2022

Hi @arshiarshi,

yes, it's possible, you have two solutions tocustomize your dropdown:

if the association between index and fieldname is fixed and it has few values, you could use this solution:

    <input type="dropdown" token="my_token">
      <label>Hostname</label>
      <choice value="indexA">CPI</choice>
      <choice value="indexB">Mule</choice>
      <prefix>index=</prefix>
    </input>

In this way, using the hostname=CPI, you choose index=IndexA, if you choose hostname=Mule, you choose index=indexB.

then in your search, you can use $my_token$ as main search.

Ciao.

Giuseppe

arshiarshi · ‎08-09-2022

Hi @gcusello,

Thank you so much for your reply, it worked.

I used the below script as suggested by you:-

<input type="dropdown" token="dashboard">
<label>Hostname</label>
<choice value="index=index1 host=host1 | table x,y,z">CPI</choice>
<choice value="index=index1 host=host2 | table a,b,c">Mule</choice>
</input>

and then set the token $dashboard$ to my panel.

Thank you

Arshi.

arshiarshi · ‎08-09-2022

Hi @gcusello ,

Thanks for your reply.

i have to differentiate it using host name since index name is same.

i am using the search like below:-

<input type="dropdown" token="dashboard">
<label>Hostname</label>
<choice value="host1">CPI</choice>
<search>
<query>index="index" host="host1" |table x,y,z</query>
</search>
<choice value="host2">Mule</choice>
<search>
<query>index="index" host="host2" | table a,b,c</query>
</search>
<prefix>host=</prefix>
</input>

But unfortunately, the above search is not generating any output.

Thank you

Arshi

gcusello · ‎08-09-2022

Hi @arshiarshi,

you have to say to the input what's the field to use for the token, if it's x, you should use the tags fieldForLabel and fieldForValue:

      <fieldForLabel>y</fieldForLabel>
      <fieldForValue>x</fieldForValue>

thwy can be the same or different and you can insert them also via GUI.

Ciao.

Giuseppe

Siddharth · ‎08-05-2022

I am not sure if i have got the question correctly or not but what i understand you have to create a filter in which field is common but name is different. So what you can do is go to field mapping and rename the field and then it should work.

Is it possible to merge searches with same index but different host names?

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!