Expose hidden fields?

Comments

3 comments

  • Avatar
    Olaf Stein

    Hi Brendan,

    you can show these:
    | fields _sourceCategory

    and use them in group operations:

    | count by _sourceCategory

    Let me know if you have other questions

    Olaf

    0
    Comment actions Permalink
  • Avatar
    Kevin

    Hi Brendan,

    Yes, you can reference the metadata fields later within your queries similar to other parsed fields. Here are a couple examples.

    Count by metadata:

    _collector=foo
    | count by _source

    Filter by metadata:

    _collector=foo
    | where _sourcename="/my/file/name"

    Parse the metadata field + count:

    _collector=foo
    | parse field=_sourcename "/path/*" as name
    | count by name

     

    I hope this is what you were looking for. 

    0
    Comment actions Permalink
  • Avatar
    Brendan McCarthy

    Thanks for the quick replies! I think what confused me is that exposing the field directly doesn't work, but the parse form does, e.g.:

    _sourceCategory=prod-usw1/*-service
    | parse field=_sourceCategory "prod-usw1/*" as src
    | fields _sourceCategory, src

    'src' shows up, not '_sourceCategory -- and 'as' is not valid syntax.

    Anywhere the parsing form is what I really wanted so thanks again.

    0
    Comment actions Permalink

Please sign in to leave a comment.