I have a relatively simple use case but I'm having trouble getting it done. I would like to export the label, description, title and query of each dashboard within my app.
I've gotten as far as this (please don't base your answer on what I have so far unless it's going down the right path 🙂 )
| rest /servicesNS/-/-/data/ui/views
| search isDashboard=1 eai:acl.app=$APPNAME$
| rex max_match=0 field=eai:data "\<description\>(?<DESCRIPTION>.*?)(?:\<\/description\>*?)"
| rex max_match=0 field=eai:data "\<label\>(?<DB_GROUP>.*?)(?:\<\/label\>*?)"
| rex max_match=0 field=eai:data "\<title\>(?<DB_NAME>.*?)(?:\<\/title\>*?)"
| rex max_match=0 field=eai:data "\<query\>(?<QUERY>.*?)(?:\<\/query\>*?)"
| mvexpand DB_NAME
| mvexpand QUERY
| table DB_GROUP DB_NAME DESCRIPTION QUERY eai:acl.app
| dedup QUERY
I'm completely aware that the regex is probably not optimized/etc. and I'll fix that later on.
The primary issue is that the query is going to be a multivalue field, as well as the title. The two mvexpand() commands causing a little dilemma as I'm never "recombining" those values into one field that I can re-extract. This leads to an issue where the table values aren't a 1:1 match.
I was thinking that mvindex() may be the solution but I'm not entirely sure how I'd implement it. Again, spitting in the dark here so any help is much appreciated.
@daniel.rico@firstdata.com, as far as your rex is working fine, DB_NAME and QUERY should be multi-value field as Dashboard will have only one description and label.
You can use mvzip() to map multi-valued 1:1. PS: I have used <>
as the delimiter since query field is ideally not expected to have <
or >
, which are escaped as <
and >
respectively. Then you can use mvexpand
command on the new stitched multi-valued field. The split()
and mvindex()
functions are used to bring back title and query from each panel.
<YourBaseSearch>
| eval DashboardMeta=mvzip(DB_NAME,QUERY,"<>")
| mvexpand DashboardMeta
| eval DashboardMeta=split(DashboardMeta,"<>")
| eval DB_NAME=mvindex(DashboardMeta,0)
| eval QUERY=mvindex(DashboardMeta,1)
| table DESCRIPTION DB_GROUP DB_NAME QUERY
PS: mvzip expects 1 to 1 fields present in both multi-valued fields being stitched. Please try out and confirm.
@daniel.rico@firstdata.com, as far as your rex is working fine, DB_NAME and QUERY should be multi-value field as Dashboard will have only one description and label.
You can use mvzip() to map multi-valued 1:1. PS: I have used <>
as the delimiter since query field is ideally not expected to have <
or >
, which are escaped as <
and >
respectively. Then you can use mvexpand
command on the new stitched multi-valued field. The split()
and mvindex()
functions are used to bring back title and query from each panel.
<YourBaseSearch>
| eval DashboardMeta=mvzip(DB_NAME,QUERY,"<>")
| mvexpand DashboardMeta
| eval DashboardMeta=split(DashboardMeta,"<>")
| eval DB_NAME=mvindex(DashboardMeta,0)
| eval QUERY=mvindex(DashboardMeta,1)
| table DESCRIPTION DB_GROUP DB_NAME QUERY
PS: mvzip expects 1 to 1 fields present in both multi-valued fields being stitched. Please try out and confirm.
Appears to work - I have to do some further testing but this seems like what I need - I didn't think of trying that delim out - Awesome!