I have some data that looks like:
Status Rec_Cnt Message
OK 723 File produced 723 records
ERROR 123 Directory does not exist
What I want is for Status = "OK"
to only display the Status and Rec_Cnt fields. If the status!="OK"
, then I want to display Status, Rec_Cnt and Message
so I tried
| ...base search...
| stats count by Status, Rec_Cnt
| where Status!="OK"
| stats count by Status, Rec_Cnt, Message
Which I didn't expect to work, and it did not. I know it is not that simple, but I am at a loss as to how to get what I am looking for.
Ideas on what I should try next?
How about this
| ...base search...
| stats count values(eval(Status="OK", "", Message)) as Message by Status, Rec_Cnt
That's much closer than what I had going on! Thanks
The only thing is that this is going to be a table on a dashboard panel, and there will only ever be 1 line of data (the latest event) displayed. I don't really want the NOC folks to see a message field unless there is a problem (status!=OK). The reason being is that after time, human nature will just glance up at the panel and will always see a "message" column (even a blank one) and discount it as normal, even if there is data displayed there.
Successful operations should just display 2 columns Status and Rec_Cnt, Message is for when there is an issue.
In that case, try this (this is just a brain dump, please review and tweak as needed)
<dashboard>
<search id="panel_logic">
<query>... base search ... NOT (Status="OK")</query>
<earliest>@d</earliest>
<latest>now</latest>
<done>
<condition match="'job.resultCount' > 0">
<set token="show_error">true</set>
<unset token="exec_search" />
</condition>
<condition>
<unset token="show_error" />
<set token="exec_search">yes</set>
</condition>
</done>
</search>
<!--- this is the panel with query for success ONLY with 2 columns-->
<panel rejects="$show_error$>
<table>
<search>
...
</table>
<!--- this is the panel with query for success AND failure with 3 columns-->
<panel depends="$show_error$>
<table>
<search>
...
</table>
Now, depends
& rejects
will only show/hide the panel if criteria is met, the search for the panel will executE, resulting in 3 searches in your dashboard. to minimize the number of times search gets executed, add the following to the respective searches. This will cause the search to wait for these specific tokens to be set. You can hide these fields from final display.
Search for success only add eval exec_search="$exec_search$"
Search for error condition add, eval show_error="$show_error$"