I think i got a little closer with
|metadata type=hosts | fields host| tags| search tag::host=*| fields - host
If that is closer, now i need to figure out how to breakup the multiline, dedupe, and make the drill-down work. I'm hoping there is an easy query i'm missing.
This will do it:
| metadata type=hosts | tags | mvexpand tag::host | dedup tag::host | fields tag::host
If you need to drill down, you should be able to modify the standard dashboard a bit, just to select the right field name(s).
BTW, and maybe this is too late for you to consider, but I would strongly recommend for this purpose that you consider a lookup table (with a lookup on
host returning each of your other fields) rather than tags. In some ways, they are much easier to manage, and you will be able to search by, e.g.,
environment=prod service=webserver rather than
Are you suggesting the lookup table approach specifically because he's hitting metadata, as opposed to raw results? If searching against actual events, wouldn't there be a (possibly severe) performance penalty?
Thank you. Tags seemed more natural to me and i understand them already. I'll investigate the lookup table. I suspect lookup tables would be cached in RAM for it to be speedy. I can see how exporting "tag" type info from another system would be easier with a lookup table.