I have a query that receives input from a drop-down.
Example info coming from the drop-down:
Static: All = *
Dynamic = Application name + Version
All
Nitro 10.9.1.1455
Runner 11.2.1.1444
Calendar 11.1.0.1355
I am physically splitting the name of the application with the version number because my index has Application as a separate from Version and does not take the application with the version (ie: Calendar 11.1.0.1355) as an input. I am combining the two for my drop-down for user simplicity
How queries require the input:
Application = Calendar
Version = 11.1.0.1355
index=search
| eval Applications = "$App_token$"
| rex field=Applications "^(?<Application>^\D+)"
| rex field=Applications "^(?<Install_Version>^\d.*)"
| dedup Mac_Address Application
| search "StoreNo"=* Mac_Address=* "Install Status"=* "App Updated Date"=* "Last Seen"=* "OS Version"="*"
|chart limit=50 count over "Application" by "Install Status"
How would I build a case where "All" would display all applications rather than *
@JoshuaJohn, What are the fields in your index=search corresponding Application
and Version
? You have not applied any filter for either one in your search.
Besides your query, you should also check your existing query for the following:
1) All your search filter should be in your base query
index=search "StoreNo"=* Mac_Address=* "Install Status"=* "App Updated Date"=* "Last Seen"=* "OS Version"="*"
2) You should have single rex for Application and Install_Version. If Application Name does not have spaces you can try the following:
| rex field=Applications "^(?<Application>[^\s]+)\s(?<Install_Version>.*)"
If there may be spaces in the Application name may be you can try the following:
| rex field=Applications "^(?<Application>[\D|\s]+)(?<Install_Version>[\d|\.]+)"
PS: This could also be handled in the drop down itself. Will your dropdown have multiple entries for same App with different versions?
Hi
Can you check if that works for you?
index=search
| eval Applications = "$App_token$"
| rex field=Applications "^(?<Application>^\D+)"
| rex field=Applications "^(?<Install_Version>^\d.*)"
| dedup Mac_Address Application
| search "StoreNo"=* Mac_Address=* "Install Status"=* "App Updated Date"=* "Last Seen"=* "OS Version"="*"
|chart limit=50 count over "Application" by "Install Status"
| eval Application=if(Application=="*","All","*")
It is just a cosmetic operation in the end of the whole calculations