We have prod and non prod events and trying to display the environment names in dashboard. The prod events contain hostname and I can extract the environment name from it, where as non prod environment name comes from different field (kubernetes.namespace_name). How can I merge these 2 fields.
Prod
index=test_prod hostname=ab_bc-app1-prod-i-08077b980050dbd11 sometext
Non Prod
index=test_nonprod hostname=nonprod-i-4332 sometext kubernetes.namespace_name=np1
I have 2 different queries to get the environment name out of them
search index=test_prod appname=* | rex field=host "ab_bc-[^-]*-(?P[^-]*)-" | stats values(env) as env
search index=test_nonprod appname=* kubernetes.namespace_name!=null | stats values(kubernetes.namespace_name) as env
I tried to merge these 2 queries but not getting the expected output
index=test_* appname=* | rex field=host "ab_bc-[^-]*-(?P[^-]*)-" | rename kubernetes.namespace_name as env | stats values(env)
But I am getting only prod environments but not non prod. Whats wrong I am doing?
↧