Hi,
I'm having difficulty in using a field in a dashboard. I have 3 fields that I'm trying to use some logic with.
qos_metric
, qos_bandwidth
& qos_thruput
I tried this, but it always returns false:
| eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput)
The index always contains qos_bandwidth
& qos_thruput
together, but I only require one.
The logic:
if qos_metric == Bandwidth
then qos_unit
contains the value of qos_bandwidth
, else qos_unit
contains the value of qos_thruput
.
The search (to add context):
Index=storage_arrays sourcetype=qos dev_name=$device$ qos_class=$class$ | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput) | chart avg(qos_unit) as "QoS" avg(qos_metric_value) as Limit over _time by qos_class | eval _span=4
I hope I explained OK.
Instead of trying to go through an eval condition, I've created an input with the static values Name=Bandwidth Value=qos_bandwidth, Name=Throughput,Value=qos_thruput. I then removed the entire eval statement. This seems to work as expected 🙂 It just means a manual step rather than automated.
index="storage_arrays" sourcetype="qos" dev_name="$device$" qos_class="$class$" | chart avg($qosVol$) as "QoS" avg(qos_metric_value) as "Limit" over _time by qos_class
Thank you for all your time.
EDIT
Managed to automate it and thought I'd add it just in case.
index="storage_arrays" sourcetype="qos" dev_name="$device$" qos_class="$class$" | fields qos_class dev_name qos_metric qos_bandwidth qos_thruput qos_metric_value | transaction qos_metric qos_bandwidth qos_thruput qos_class dev_name | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput)| chart avg(qos_unit) as "QoS" avg(qos_metric_value) as "Limit" over _time by qos_class
Breakdown:
<main search populated by form options> | <only return the fields I'm interested in> | <merge the fields> The "qos_metric" field is from a second source, so creates a separate event to the other fields. | <If statement so if qos_metric is Bandwidth only return qos_bandwidth value, else qos_thruput values.> | <stick it in a chart so we can do pretty graphs>
Thanks
Instead of trying to go through an eval condition, I've created an input with the static values Name=Bandwidth Value=qos_bandwidth, Name=Throughput,Value=qos_thruput. I then removed the entire eval statement. This seems to work as expected 🙂 It just means a manual step rather than automated.
index="storage_arrays" sourcetype="qos" dev_name="$device$" qos_class="$class$" | chart avg($qosVol$) as "QoS" avg(qos_metric_value) as "Limit" over _time by qos_class
Thank you for all your time.
EDIT
Managed to automate it and thought I'd add it just in case.
index="storage_arrays" sourcetype="qos" dev_name="$device$" qos_class="$class$" | fields qos_class dev_name qos_metric qos_bandwidth qos_thruput qos_metric_value | transaction qos_metric qos_bandwidth qos_thruput qos_class dev_name | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput)| chart avg(qos_unit) as "QoS" avg(qos_metric_value) as "Limit" over _time by qos_class
Breakdown:
<main search populated by form options> | <only return the fields I'm interested in> | <merge the fields> The "qos_metric" field is from a second source, so creates a separate event to the other fields. | <If statement so if qos_metric is Bandwidth only return qos_bandwidth value, else qos_thruput values.> | <stick it in a chart so we can do pretty graphs>
Thanks
Try this:
Index=storage_arrays sourcetype=qos dev_name=$device$ qos_class=$class$ | eval qos_unit=if(like(qos_metric,"%Bandwidth%"), qos_bandwidth, qos_thruput) | chart avg(qos_unit) as "QoS" avg(qos_metric_value) as Limit over _time by qos_class
The only reason that this makes sense ("if" is always true) is if your test is not what you think it is; this test is a little more flexible to accommodate bounding whitespace.
Hi, Thanks again. Still no joy 😞 Though I have sorted it another way 🙂 Answer to follow.
You explained everything except for the problem that you are having. According to your "question" everything is A-OK and working fine. IMHO there is nothing wrong with your search string with the exception that the final clause ( | eval _span=4
) is useless and does nothing (which makes me think that you are trying to have it do something, which maybe is the "unspoken problem" that you are having). Clarify your problem and maybe we can help you. In any case, the search you posted should do exactly as you indicated is your desire.
Hi, I removed the |eval span=4 to be safe which made no difference. The problem that I'm having is that the if-then-else is alway returning false which make qos_unit always have the value of qos_thruput even if qos_metric is Bandwidth. So to explain:
If qos_metric = bandwidth then let qos_unit contain qos_bandwidth values else qos_unit contains qos_thruput values.
Hello! I think the error should be your avg(qos_unit)
and avg(qos_metric_value)
. Make sure that qos_unit and qos_metric_value have numerical values since avg
will only work with numerical values. If not, try another function
Thanks.
Hi, The two fields only contain integers. And I've pretty much worked my way through doc.
Run your search without a token and let know what happen
Index=storage_arrays sourcetype=qos dev_name=* qos_class=* | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput) | chart avg(qos_unit) as "QoS" avg(qos_metric_value) as Limit over _time by qos_class
if "Bandwidth" is an field, try like :
index=storage_arrays sourcetype=qos dev_name=$device$ qos_class=$class$ | eval qos_unit=if(qos_metric == Bandwidth, qos_bandwidth, qos_thruput) | chart avg(qos_unit) as "QoS" avg(qos_metric_value) as Limit over _time by qos_class | eval _span=4
or
if "Bandwidth" is an string , the you querry is verry OK .
Hi fdi01, Thanks for the reply. The quotes (with/without) make no difference. 😞