We created a dynamic drop down for service code and time range. We have many  service code values out of which "null"  is one of  them. So when we select a particular time range if null value logs are not present also it is showing up in the drop down, We want to see the options in the drop down only if that logs are present during that time. Below is the xml code used: <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="ServiceCode"> <label>ServCode</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>ServiceCode</fieldForLabel> <fieldForValue>ServiceCode</fieldForValue> <search> <query> index=app-index |rename "resource.attributes.servicecode" as ServiceCode |stats count by ServiceCode |fields ServiceCode </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> </search> </input> </fieldset> <row> <panel> <table> <title>Incoming Count</title> <search> <query>index=app-index source=application.logs AND resource.attributes.servicecode="$ServiceCode$" |table Income Rej_app ATM DMM Reject Rej_log Rej_app </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form>   ... View more

In a dashboard showing diff data in a panel, but when we open the panel query using "open in search" its showing correctly.       <form version="1.1" theme="dark"> <label>DMT Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <row> <panel> <table> <search> <query> index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) repoter.dataloadingintiated |stats count by local |append [search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) task.dataloadedfromfiles NOT "error" NOT "end_point" NOT "failed_data" |stats count as FilesofDMA] |append [search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) "app.mefwebdata - jobintiated" |eval host = case(match(host_ip, "12.234"), "HOP"+substr(host, 120,24), match(host_ip, "10.123"), "HOM"+substr(host, 120,24)) |eval host = host + " - " + host_ip |stats count by host |fields - count |appendpipe [stats count |eval Error="Job didn't run today" |where count==0 |table Error]] |stats values(host) as "Host Data Details", values(Error) as Error, values(local) as "Files created localley on AMP", values(FilesofDMA) as "File sent to DMA" <query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentageRow">false</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="host_ip> <colorPalette type="map">{"12.234.201.22":#53A051, "10.457.891.34":#53A051,"10.234.34.18":#53A051,"10.123.363.23":#53A051}</colorPalette> </format> <format type="color" field="local"> <colorPalette type="list">[#DC4E41,#53A051]</colorPalette> <scale type="threshold">8</scale> </format> <format type="color" field="FilesofDMA"> <colorPalette type="list">[#DC4E41,#53A051]</colorPalette> <scale type="threshold">8</scale> </format> <format type="color" field="Files created localley on AMP"> <colorPalette type="list">[#DC4E41,#53A051]</colorPalette> <scale type="threshold">8</scale> </format> <format type="color" field="File sent to DMA"> <colorPalette type="list">[#DC4E41,#53A051]</colorPalette> <scale type="threshold">8</scale> </format> <format type="color" field="Error"> <colorPalette type="map">{"Job didn't run today":#DC4E41}</colorPalette> </format> <format type="color" field="Host Data Details"> <colorPalette type="map">{"HOM-jjderf - 10.123.34.18":#53A051"HOM-iytgh - 10.123.363.23":#53A051, HOP-wghjy - 12.234.201.22":#53A051, "HOP-tyhgt - 12.234.891.34":#53A051}</colorPalette> </format> </table> </panel> </row> </form>       Panel displaying in dashboard: When we open the panel in search showing as below:(this is the correct data) Host Data Details Error Files created localley on AMP File sent to DMA HOM-jjderf - 10.123.34.18 HOM-iytgh - 10.123.363.23 HOP-wghjy - 12.234.201.22 HOP-tyhgt - 12.234.891.34   221 86   ... View more

index=app-index source=application.logs | rex field= _raw "RampData :\s(?<RampdataSet>\w+)" | rex field= _raw "(?<Message>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" | chart count over RampdataSet by Message OUTPUT: RampdataSet Initial message received with below details Letter published correctley to ATM subject Letter published correctley to DMM subject Letter rejected due to: DOUBLE_KEY Letter rejected due to: UNVALID_LOG Letter rejected due to: UNVALID_DATA_APP WAC 10 0 0 10 0 10 WAX 30 15 15 60 15 60 WAM 22 20 20 62 20 62 STC 33 12 12 57 12 57 STX 66 30 0 96 0 96 OTP 20 10 0 30 0 30 TTC 0 5 0 5 0 5 TAN 0 7 0 7 0 7 But we want output as shown below: Total="Letter published correctley to ATM subject" + "Letter published correctley to DMM subject" + "Letter published correctley to DMM subject" + "Letter rejected due to: DOUBLE_KEY" + "Letter rejected due to: UNVALID_LOG" + "Letter rejected due to: UNVALID_DATA_APP" |table "Initial message received with below details"  Total RampdataSet Initial message received with below details Total WAC 10 20 WAX 30 165 WAM 22 184 STC 33 150 STX 66 222 OTP 20 70 TTC 0 15 TAN 0 21 ... View more

Below is the regex used, here we want to extract following fields: DIM TID APPLICATION POSITION CORRLATIONID The rex which i used is extraction DIM, TDI, APPLICATION as one field, but we need them separately. We need to write the rex generic so that it should capture the data if there are different field names as well   ... View more

sample log: {"date" : "2021-01-01 00:00:00.123 | dharam=fttc-pb-12312-esse-4 | appLevel=INRO | appName=REME_CASHE_ATTEMPT_PPI | env=sit | hostName=apphost000adc | pointer=ICFD | applidName=http.ab.web.com|news= | list=OUT_GOING | team=norpass | Category=success | status=NEW | timeframe=20", "tags": {"host": "apphost000adc" , "example": "6788376378jhjgjhdh2h3jhj2", "region": null, "resource": "add-njdf-tydfth-asd-1"}} used below regex to extract all fields  , but  one field is not getting extracted, that is timeframe |regex  _raw= (\w+)\=(.+?) \| how to modify my regex to extract timeframe field as well. ... View more

query 1: |mstats sum(transaction) as Total sum(success) as Success where index=metric-index transaction IN(transaction1, transaction2, transaction3) by service transaction |eval SuccessPerct=round(((Success/Total)*100),2) |xyseries service transaction Total Success SuccessPerct |table service "Success: transaction1" "SuccessPerct: transaction1" "SuccessPerct: transaction2" "Total: transaction2" "Success: transaction2" |join service [|mstats sum(error-count) as Error where index=metric-index by service errortype |append [|search index=app-index sourcetype=appl-logs (TERM(POST) OR TERM(GET) OR TERM(DELETE) OR TERM(PATCH)) OR errorNumber!=0 appls=et |lookup app-error.csv code as errorNumber output type as errortype |stats count as app.error count by appls errortype |rename appls as service error-count as Error] |xyseries service errortype Error |rename wvv as WVVErrors xxf as nonerrors] |addtotals "Success: transaction1" WVVErrors nonerrors fieldname="Total: transaction1" |eval sort_service=case(service="serv1",1,service="serv2",2,service="serv3",3,service="serv4",4,service="serv5",5,service="serv6",6,service="serv7",7,service="serv8",8,service="serv9",9,service="serv10",10) |sort + sort_service |table service "Success: transaction1" "SuccessPerct: transaction2" WVVErrors nonerrors |fillnull value=0   query1 OUTPUT: service Success: transaction1 SuccessPerct: transaction2 WVVErrors  nonerrors serv1 345678.000000 12.33 7.000000 110.000000 serv2 345213.000000 22.34 8777.000000 0 serv3 1269.000000 12.45 7768.000000 563 serv4 34567.000000 11.56 124447.000000 0 serv5 23456.000000 67.55 10.000000 067 serv6 67778.000000 89.55 15.000000 32 serv7 34421.000000 89.00 17.000000 56 serv8 239078.000000 53.98 37.000000 67.0000000 serv9 769.000000 09.54 87.000000  8.00000 serv10 3467678.000000 87.99 22.000000 27.000000 serv11 285678.000000 56.44 1123.000000 90.00000 serv12 5123.000000 89.66 34557.000000 34 serv13 678.000000 90.54 37.000000 56 serv14 345234678.000000 89.22 897.000000 33 serv15 12412.33678.000000 45.29 11237.000000 23.000000 query2: |mstats sum(error-count) as Error where index=metric-index by service errorNumber errortype query2: output: service errorNumber errortype Error serv1 0 wvv 7.000000 serv1 22 wvv 8777.000000 serv1 22 wvv 7768.000000 serv1 45 wvv 124447.000000 serv2 0 xxf 10.000000 serv2 22 xxf 15.000000 serv2 22 xxf 17.000000 serv2 45 xxf 37.000000 serv3 0 wvv 87.000000 serv3 22 wvv 22.000000 serv3 22 wvv 1123.000000 serv3 45 wvv 34557.000000 serv4 0 xxf 37.000000 serv4 26 xxf 897.000000 serv4 22 xxf 11237.000000 serv4 40 xxf 7768.000000 serv5 25 wvv 124447.000000 serv5 28 wvv 10.000000 serv5 1000 wvv 15.000000 serv5 10 wvv 17.000000 serv6 22 xxf 37.000000 serv6 34 xxf 87.000000 serv6 88 xxf 22.000000 serv6 10 xxf 45.000000   we want to combine query 1 and query2 and want to get the both outputs in one table. ... View more

Below are the sample logs , i am not getting how to write props line breaker. can anyone help on this. A0C0A0H8~~AB~ABCg.C~AB~Wed Jan 11 19:11:17 IST 2021~C~0.00~0.00~0.01~Z~1HTYYY B0C0A0K8~~AB~ABCUHg.C~AB~Mon Jan 10 20:11:17 IST 2021~C~0.00~0.00~0.01~Z~1HTYYY1245 D0C01010~~CD~SDRg.D~HH~Thu Jan 20 11:11:17 IST 2021~C~0.00~0.00~0.01~Z~1140AU A0C01212~~AB~ABCg.C~AB~Wed Jan 11 19:11:17 IST 2021~C~0.00~0.00~0.01~Z~1HTYYY     ... View more

i have a query where my results looks like this Application1-Start Application1-Stop Application2-Start Application2-Stop Application3-Start Application3-Stop 10 4 12 7 70 30 12 8 10 4 3 2 14 4 12 5 16 12 But i want to see the output as shown below is that possible??? Start Start Start Stop Stop Stop Application1 Application2 Application3 Application1 Application2 Application3 10 12 70 4 7 30 12 10 3 8 4 2 14 12 16 4 5 12 ... View more

Query: index=new "application status" AND Condition=Begin OR Condition=Done |rex field = _raw "DIDS \s+\[?<data>[^\]]+)" |dedup data |timechart span=1d count by application Result: _time application1 application2 2022-01-06 10 20 2022-01-07 12 14 2022-01-08 18 30   I want to include Condition field as well in the table, how can i do it??? ... View more

Query: |tstats count where index=xxx host=host1 sourcetype=newsourcetype by PREFIX(type:) _time |rename type: as Types |timechart span=1d values(count) by Types |eval Total=Model1 +Model2+ Model3+ Model4 |fillnull value=0 OUTPUT: _time Model1 Model2 Model3 Model4 Total 2021-04-12 2 0 1 4 0 2021-04-13 0 4 0 0 0 2021-04-14 8 2 10 4 24 2021-04-15 3 0 2 8 0 2021-04-16 1 4 2 2 9   EXPECTED OUTPUT: _time Model1 Model2 Model3 Model4 Total 2021-04-12 2 0 1 4 7 2021-04-13 0 4 0 0 4 2021-04-14 8 2 10 4 24 2021-04-15 3 0 2 8 13 2021-04-16 1 4 2 2 9 ... View more