Hi,
I have a dashboard which in which one of the panels features a table, currently made out of 4 separate searches (technically 4 tables just next to each other), like so:
The searches for each one look like this:
base search... | stats latest(AvailabilityFlex) AS Availability latest(RollOutFlex) AS RollOut latest(LeadershipFlex) AS Leadership
Where for the other metrics the stats command looks for other metrics, i.e
base search ... | stats latest(AvailabilitySub) AS Availability latest(RollOutSub) AS RollOut latest(LeadershipSub) AS Leadership
Is there an easy way of combining these searches all into one table, with the same structure as it currently has? A table with 4 columns and 4 rows, the first column one being the 'metric' and the name of that for each row?
Thanks,
Sam
EDIT: The reason for this is because when you generate the PDF it really stretches out the table, making it look much less professional. If anyone knows how to keep panels all grouped together when doing this, that would also work!
base search... | stats latest(AvailabilityFlex) AS Availability latest(RollOutFlex) AS RollOut latest(LeadershipFlex) AS Leadership |eval a="query1"|append [ base search... | stats latest(AvailabilityFlex) AS Availability latest(RollOutFlex) AS RollOut latest(LeadershipFlex) AS Leadership |eval a="query2"] |append [ base search... | stats latest(AvailabilityFlex) AS Availability latest(RollOutFlex) AS RollOut latest(LeadershipFlex) AS Leadership |eval a="query3"]
differance between append and appendcols
base search... | stats latest(AvailabilityFlex) AS Availability latest(RollOutFlex) AS RollOut latest(LeadershipFlex) AS Leadership |eval a="query1"|append [ base search... | stats latest(AvailabilityFlex) AS Availability latest(RollOutFlex) AS RollOut latest(LeadershipFlex) AS Leadership |eval a="query2"] |append [ base search... | stats latest(AvailabilityFlex) AS Availability latest(RollOutFlex) AS RollOut latest(LeadershipFlex) AS Leadership |eval a="query3"]
differance between append and appendcols
Thanks! This works great.
Do you know how to get the additional column (a=query1, etc) to be at the left of the table rather than the right?
what happens if you just pipe after the query above , something like base search... | stats latest(AvailabilityFlex) AS Availability latest(RollOutFlex) AS RollOut latest(LeadershipFlex) AS Leadership |eval a="query1"|append [ base search... | stats latest(AvailabilityFlex) AS Availability latest(RollOutFlex) AS RollOut latest(LeadershipFlex) AS Leadership |eval a="query2"] |append [ base search... | stats latest(AvailabilityFlex) AS Availability latest(RollOutFlex) AS RollOut latest(LeadershipFlex) AS Leadership |eval a="query3"]| fields a,Availability,RollOut,Leadership
Basically just provide the fields in the respective order that you need with the |fields command?