I would like to extract additional json fields from event.original. The documentation says that the field is not indexed and can be overwritten, but I'm not sure how to do this. https://www.elastic.co/guide/en/ecs/current/ecs-event.html#field-event-original. The field isn't indexed which means that it isn't searchable.
I thought something like
- decode_json_fields:
fields: [event.original]
process_array: true
max_depth: 1
target: ""
overwrite_keys: false
add_error_key: true
would produce the correct output, but no additional fields were created.
Related
Looks like a silly question, but I can't find a way to access the DataViews in my DataViewManager.
I can see it in the DataViewManager Visualizer window, so there must be a way.
What am I doing wrong?
dvm = New DataViewManager(MyDS) ''-- MyDS is a strongly typed dataset
dvm.CreateDataView(MyDS.Company)
dvm.CreateDataView(MyDS.Sites)
MsgBox(dvm.DataViewSettings.Count) ''-- shows 7, even though I added only 2.
For Each view As DataView In dvm ''-- Error!
MsgBox(view.Table.TableName)
Next
I also observed that irrespective of how many DataViews I create, data the DataViewManager Visualizer shows all DataViews in my dataset. Why?
how do I hide those rows in parent whose child data view returns 0 rows after applying RowFilter on child
I've done it like this, but it feels like a nasty hack; I've never read the source deeply enough to know if there is a better way:
Add a column to your child datatable: Name: IsShowing, Type: Int, Expression: 1, ReadOnly: True
Put the following code:
ChildBindingSource.RemoveFilter()
ParentBindingSource.RemoveFilter()
YourDataSet.ChildDataTable.IsShowingColumn.Expression = ""
YourDataSet.ChildDataTable.Expression = $"IIF([SomeColumn] Like '{SomeFilterText}',1,0)"
ChildBindingSource.Filter = "[IsShowing] > 0"
ParentBindingSource.Filter = "Sum(Child.IsShowing) > 0"
The removal and re-add triggers a re-evaluation of the expression and the filters. There is probably a way to do this without removing/re-adding but I haven't yet found it.. Expressions are normally only re-evaluated when row data changes; changing an expression doesn't seem to recalculate all the row values/trigger a refresh of the relations and BS filters
It would be great if the parent filter supported complex expressions like SUM(IIF(Child.SomeColumn = 'SomeFilter',1,0)>0 but the SUM operator expects only a column name in the parent or child. As such, the circuitous route of having a column with an Expression be the part inside the SUM is the only way i've found to leverage the built in filtering
Remember when you test that the search is case sensitive. If you want it not to be you might have to have another column of data that is the lowercase version of what you want to search and lowercase your query string
I am trying to create a new field during indexing however the fields become columns instead of values when i try to concat. What am i doing wrong ? I have looked in the docs and seems according ..
Would appreciate some help on this.
e.g.
.csv file
**Header1**, **Header2**
Value1 ,121244
transform.config
[test_transformstanza]
SOURCE_KEY = fields:Header1,Header2
REGEX =^(\w+\s+)(\d+)
FORMAT =
testresult::$1.$2
WRITE_META = true
fields.config
[testresult]
INDEXED = True
The regex is good, creates two groups from the data, but why is it creating a new field instead of assigning the value to result?. If i was to do ... testresult::$1 or testresult::$2 it works fine, but when concatenating it creates multiple headers with the value as headername. Is there an easier way to concat fields , e.g. if you have a csv file with header names can you just not refer to the header names? (i know how to do these using calculated fields but want to do it during indexing)
Thanks
I have a solr core with names and some meta data.
Something like this: "firstname"; "lastname"; "search"; "meta1"; "meta2"; etc.
Where "search" is a copy field containing "firstname" and "lastname". Search looks like this: search: ["johhny", "cash"].
The schema default field is the "search" field.
When I search only over query wtih "firstname:johnny" I get different results compared to a search over the default field "df = firstname" and query "johnny".
Can anyone explain why this is and what the inner workings are for this effect?
I am using Splunk to index logs with multiple fields with the same name. All fields have the same meaning:
2012-02-22 13:10:00,ip=127.0.0.1,to=email1#example.com,to=email2#example.com
In the automatic extraction for this event, I only get "email1#example.com" extracted for the "to" field. How can I make sure all the values are extracted?
Thanks!
I think adding this to the end of the search this may do it:
| extract pairdelim="," kvdelim="=" mv_add=t | table to
(the 'table' is just for demonstration).
So, I think, in 'transforms.conf' (from http://docs.splunk.com/Documentation/Splunk/latest/admin/transformsconf) put:
[my-to-extraction]
DELIMS = ",", "="
MV_ADD = true
and reference it in 'props.conf':
[eventtype::my_custom_eventtype]
REPORT-to = my-to-extraction
where 'eventtype::my_custom_eventtype' could be anything that works as a 'props.conf' specification (<spec> in http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf).
when i run solr/admin page i got this information, it shows optimize=true, but i have not set optimize=true in configuration file than how it is optimizing the indexes.
and how can i set it to false then .
Schema Information
Unique Key: UID_PK
Default Search Field: text
numDocs: 2881
maxDoc: 2881
numTerms: 41960
version: 1309429290159
optimized: true
current: true
hasDeletions: false
directory: org.apache.lucene.store.SimpleFSDirectory:org.apache.lucene.store.SimpleFSDirectory# C:\apache-solr-1.4.0\example\example-DIH\solr\db\data\index
lastModified: 2011-06-30T10:25:04.89Z
It doesnt say "optimize = true" or that it will "optimize something". It says that your index is currently optimized. Thats a difference it describes only the current status of your index.
The best way to lookup this kind of thing is:
Insert a couple of rows
Lookup this value it will show "optimized"
Delete a row
Lookup again this value it will say "not optimized"