I am attempting to create a dynamic timecharted trellis dashboard panel that only shows an aggregation by host based on which host fields are present in the main search.
As an example, the below shows two trellis panels, split by sourcetype using a statically assigned hostnames.
index=* sourcetype=* host=host1 OR host=host2
| timechart span=1s count(eval(host == "host1")) as "host1" count(eval(host == "host2")) as "host2" count by sourcetype
What I would like is the number of Trellis panels (aggregated by host) to shrink or grow based on the number of hosts listed in the primary search.
Programmatically this would be something like a for loop over the host aggregation to create multiple panels, depending on the number of host values present.
i.e.
index=* sourcetype=* host=host1 OR host=host2
| timechart span=1s count(eval(host == )) as "" count by sourcetype
With the expanded search evaluating to something like the below, assuming 3 hosts.
index=* sourcetype=* host=host1 OR host=host2 OR host=3
| timechart span=1s count(eval(host == "host1")) as "host1" count(eval(host == "host2")) as "host2" count(eval(host == "host3")) as "host3" count by sourcetype
Any help would be appreciated!
Thanks.
↧