I have several fields containing machine performance data named as CPUload
and RAMload
etcetera. They are dynamically calculated by searches such as eval value=if(valueFromSource > 0, "Value is: " "N/A")
. These fields are to be concatenated into one row in a table column called "Operations" and the column to the left contains the name of the machine.
This almost works, but whenever I try to write something that would print this row as:
CPU load: 5%, RAM load: 10%
... it always ends up looking like this:
CPU load: 5%,
RAM load: 10%,
What am I doing wrong? I have tried everything from concatenating strings to multivalue operations, but whatever angle I try, it always turns out the same. I suspect that what I want to do is to create a multivalue field from two single value fields, but I am honestly not sure... any takers on this?
Just add following to end of your search
...Your current search ....| nomv Operations
This would of worked if there was only one machine per environment but since there can up to four of them this happened:
CPU load: 5%, RAM load: 10%, Some Value: 4%, CPU load: 5%, RAM load: 10%, Some Value: 4%, CPU load: 5%, RAM load: 10%, Some Value: 4%
Everything on one row instead of:
CPU load: 56%, RAM load: 10%, Some Value: 23%,
CPU load: 3%, RAM load: 15%, Some Value: 42%,
CPU load: 1%, RAM load: 1%, Some Value: 46%,
One row with three results per machine. Is this expected or have I done something wrong? I tried running makemv delim="," Operations| eval Operations=mvappend(CPUStatus, MemStatus)
etcetera but the result was the same.
You need to do something like this (building your magastring before the stats
😞
... | eval operations="host=" . host . ", CPUload=" . CPUload . ", RAMload=" . RAMload . ", SomeValue=" . if(valueFromSource<0, valueFromSource, "N/A") | stats list(operations) as Operations by Environment
It would be helpful to see the queries you've tried that came close to what you want.
Have you tried something like this?
... | eval Operations=CPUload.", ".RAMload | table machineName Operations
The last part of the query:
stats list(host) as Server list(operations) as Operations by Environment
The machines have to be listed by the respective server and then the Operations row by its respective machine.