I have the following search:
host=* sourcetype=cpu
| multikv fields, pctUser, pctNice, pctSystem, pctIowait, pctIdle
| eval total = 100-pctIdle
| timechart bins=1000
avg(pctUser), avg(pctSystem), avg(pctIowait), avg(total),
max(pctUser), max(pctSystem), max(pctIowait) max(total)
by host
The legend in the resulting timechart has names with the form:
avg(pctUser) : HostName1
avg(pctUser) : HostName2
avg(pctSystem) : HostName1
avg(pctSystem) : HostName2
...
I want to sort the legend values by host, so that all of legend entries for a particular host are sequential, and I want the hostname first:
HostName1 : avg(pctUser)
HostName1 : avg(pctSystem)
HostName2 : avg(pctUser)
HostName2 : avg(pctSystem)
I know how to do this when the data I need is a value. The macro from the Unix TA add on is a good example of this:
host=$host$ sourcetype=df
| strcat host '@' Filesystem Host_FileSystem
| timechart avg(UsePct) by Host_FileSystem
| rename avg(UsePct) as %Used
I haven't been able to figure out how to use the key, instead of the value, when creating legend entries. I tried to rename the fields, i.e., :
avg(pctUser) as host+"something"
but it's not being evaluated, and shows up as "host+avg(pctUser)"
Any ideas?
Try this workaround.
host=* sourcetype=cpu | multikv fields, pctUser, pctNice, pctSystem, pctIowait, pctIdle
| eval total = 100-pctIdle | bucket bins=1000 _time
| stats avg(pctUser), avg(pctSystem), avg(pctIowait), avg(total), max(pctUser), max(pctSystem), max(pctIowait) max(total) by _time, host | eval temp=_time."#".host | untable temp metric value
| rex field=temp "(?<_time>.*)#(?<host>.*)" | eval host=host.":".metric | xyseries _time host value
This is exactly what I was looking for. Thanks! somesoni2