I tried using above query to fetch list of project_names from different index_names, project names has different field names for each index.
index=$index_name$ sourcetype=$source_type$ host=$host_name$ | eval Project_N=if($index_name$=="xyz", "project_n= * ", "proj_n= * ") | chart count(host) as hostname by Project_N
I tried using cases, if statement and coalesce function but not getting list of project names.
2 Logfiles for your undestanding -
Below are the two log files-
LogFile1
index,sourcetype,host,proj_n,entry_post
abc,aaa,10.11.190.12,xyz,text....
abc,aaa,10.11.190.12,xxx,text....
abc,aaa,10.11.190.12,yzx,text....
LogFile-2
index,sourcetype,host,project_n,entry_post
bbc,aaa,10.11.190.12,yyy,text....
bbc,aaa,10.11.190.12,zzz,text....
bbc,aaa,10.11.190.12,bbb,text....
Suppose if I have index=abc, output list should be project_name=xyz, xxx, yzx, ....
if index=bbc, then output list should be project_name=yyy, zzz, bbb, .....
... View more