Hello, I'm trying to rename query output and those are string values.
expecting output for field MANAGER_NAME would be like below,
XZ* = PRD
X* = PRD
XY = PRD
YL = DEV
ZN = QAT
tried with below query but it's not working any suggestions?
index=alarms sourcetype=ommc_alarms APPLICATION=spk OR APPLICATION=*spk3* | eval MANAGER_NAME1=case(MANAGER_NAME==XZ* OR MANAGER_NAME==X* OR MANAGER_NAME==XY,"Prd") | eval MANAGER_NAME2=case(AMONAME=="YL*",Dev,AMONAME=="ZN*",QAT)
| stats count by MANAGER_NAME1 ,MANAGER_NAME2
That stats command only works for events with both MANAGER_NAME1 and MANAGER_NAME2 fields populated. I'm guessing that is not the case?
Also: your first case statement is missing the "
characters around the XZ*
etc.
Also: MANAGER_NAME=="XZ*" OR MANAGER_NAME=="X*" OR MANAGER_NAME=="XY"
is a bit silly. Since you include "X*" as one of the options, that already covers the other two cases.
Anyway, you cannot use wildcards there.
You'd probably want to put it all into 1 case statement and use the match()
function. E.g.:
index=alarms sourcetype=ommc_alarms APPLICATION=spk OR APPLICATION=*spk3*
| eval MANAGER_NAME1=case(match(MANAGER_NAME,"^X.*"),"Prd",match(AMONAME,"^YL.*"),Dev,match(AMONAME,"^ZN.*"),QAT)
| stats count by MANAGER_NAME1
If that is not what you are after, please describe in more detail what your data looks like and what the result would be that you want out of this.
Hello @FrankVl ,
Added example values above query.
I trying as you suggested but it giving me only first value Prd
, but I need all matching values to Prod, Dev, QAT
index=alarms sourcetype=ommc_alarms APPLICATION=spk OR APPLICATION=*spk3* | eval MANAGER_NAME1=case(match(MANAGER_NAME,"^prdplhdpx*"),"Prd",match(AMONAME,"^qatehdp*"),"Dev",match(AMONAME,"^devehdp*"),"QAT")
| stats count by MANAGER_NAME1
I want to create a dropdown dashboard based on selection of the environment.
If that search only gives you a Prd result, there is probably something incorrect in the criteria of the case statement. Note: match uses regular expressions, which are case sensitive.
Run the search without the stats count
part and see if the MANAGER_NAME1
is populated correctly for all events.
Yes, I ran query without or with stats count
, in both cases, it is giving value of which match provided in the case.
For instance if I gave match(MANAGER_NAME,"^prdplhdpx*"),"Prd"
in a first place of case
then giving matched value of it and its not considering other match options, match(AMONAME,"^qatehdp*"),"Dev",match(AMONAME,"^devehdp*"),"QAT")
.
basically MANAGER_NAME1
value is populating first match of case
and it's ignoring other options
Can you show a sample of your data showing the MANAGER_NAME and AMONAME fields and the result of the case statement as it is put into MANAGER_NAME1?