Hello, I have a question about the use of the foreach command. I have a good idea what the foreach command can do for example:
index=summary source="summary_events_2"
orig_source=$source$
ms_region=$region$
ms_level=$level$
| timechart span=5m partial=f sum(count) as count
| timewrap d series=short
| rename s0 as Today
| foreach s*
[eval d<<MATCHSTR>> = Today - <<FIELD>>]
I know that this will create new columns like d1,d2,d3,d4,... that will contain the difference of Today and s* .
Here is my dilemma: what if I do something like this:
index=summary source="summary_events_2"
orig_source=$source$
ms_region=$region$
ms_level=$level$
| timechart span=5m partial=f sum(count) as count by ms_level (//note that there are 4 levels)
| timewrap d series=short
| rename *_s0 as *_Today
This would give me columns like ERROR_Today, WARNING_TODAY, ERROR_s1, ERROR_s2,WARNING_s1....
Is there a way to achieve the same result as the first query using the foreach command. I want to be able to create new columns like ERROR_d1, ERROR_d2, WARNING_d1, WARNING_d2
... View more