Hi
I would like to get all sourcetypes for a specific app, which have normaly one index.
So I tried this search
index=_internal group=per_sourcetype_thruput series=[|metadata type=sourcetypes index=itm | table sourcetype | format]
but it seems that I cant use the series field directly.
Is this generaly possible or have I do escape the field for that?
Thanks
Rob
That will cause a syntax error because the string returned by the subsearch is formatted somewhat differently - you can see exactly how it's formatted by running the subsearch on its own, including the ending format
command.
You could fix this by specifying arguments to format
, but a better option would be to just rename your sourcetype field in the subsearch to series.
index=_internal group=per_sourcetype_thruput [|metadata type=sourcetypes index=itm | rename sourcetype as series | fields series]
That will cause a syntax error because the string returned by the subsearch is formatted somewhat differently - you can see exactly how it's formatted by running the subsearch on its own, including the ending format
command.
You could fix this by specifying arguments to format
, but a better option would be to just rename your sourcetype field in the subsearch to series.
index=_internal group=per_sourcetype_thruput [|metadata type=sourcetypes index=itm | rename sourcetype as series | fields series]
That's great that you got it working, but there's really no need to rewrite the search like that - format
is called implicitly at the end of a subsearch anyway, and table
is possibly worse performance-wise than fields
.
thanks that work
and this with a small change too
index=_internal group=per_sourcetype_thruput [|metadata type=sourcetypes index=itm | table sourcetype | rename sourcetype AS series | format]
you can use sideview utils to do that