I am ingesting azure metrics data using the TA-MS-AAD app
but the data has a host field
{ [-]
_time: 2020-03-26T08:09:00Z
average: 2.8653846153846154
host: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Web/serverFarms/xxxxxxxxxxxxx
metric_name: CpuPercentage
namespace: microsoft.web/serverfarms
subscription_id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
unit: Percent
}
I want to be able to group results by JSON host and not have the results polluted by server host name
field extraction doesn't work 100% because the host field can be in different places in the raw text for the same metric
2 Examples
{"metric_name": "CpuPercentage", "average": 0.65625, "_time": "2020-03-26T08:22:00Z", "host": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Web/serverFarms/xxx", "namespace": "microsoft.web/serverfarms", "unit": "Percent", "subscription_id": "xxx"}
{"subscription_id": "xxx", "host": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Web/serverFarms/xxx", "metric_name": "CpuPercentage", "unit": "Percent", "_time": "2020-03-26T07:51:00Z", "average": 0.0, "namespace": "microsoft.web/serverfarms"}
field alias just renames all host field names, unless there is a way to differentiate between the 2
any help is most appreciated
| makeresults
| eval _raw="raw
{\"metric_name\": \"CpuPercentage\", \"average\": 0.65625, \"_time\": \"2020-03-26T08:22:00Z\", \"host\": \"/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Web/serverFarms/xxx\", \"namespace\": \"microsoft.web/serverfarms\", \"unit\": \"Percent\", \"subscription_id\": \"xxx\"},
{\"subscription_id\": \"xxx\", \"host\": \"/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Web/serverFarms/xxx\", \"metric_name\": \"CpuPercentage\", \"unit\": \"Percent\", \"_time\": \"2020-03-26T07:51:00Z\", \"average\": 0.0, \"namespace\": \"microsoft.web/serverfarms\"}"
| multikv forceheader=1
| spath
| fields - _raw raw
For this result, if LINE_BREAKER
is good, field extraction is no problem.
check your props.conf and transforms.conf