05 Jun 2023 11:06 AM
Hi, I defined some tags in the key:value format.
Now I'd like to use tag values in DQL.
For example, i defined the tag "myTag" for which its value is a substring of the webservice namespace. Now I'd like to summarize service count by tag value. Below DQL used for extraction, but then how can I summarize by tag value?
fetch dt.entity.service
| fieldsAdd runs_on, tags
| filter matchesValue(tags, "myTag")
If I add
| summarize count(), by:{tags}
I found no way to use tag value.
thanks
Paolo
Solved! Go to Solution.
22 Jun 2023 02:04 PM
@paolo_fumanelli have you had any luck figuring out the tags with DQL?
22 Jun 2023 03:46 PM
Hi Chad,
after several attempts I tried this. I wanted to group and count websphere services by a specific tag
fetch dt.entity.service
| fieldsAdd softwareTechnologies, tags
| filter contains(toString(softwareTechnologies), "IBM_WEBSPHERE_APPLICATION_SERVER")
| filter contains(toString(tags), "myTag")
| summarize count(), by:{(tags)}
| sort `count()` desc
The result is not exactly the one I wanted because if a service has got more that 1 tag, not only "myTag" will be used to produce the grouping but also the other ones.
But, still, it's one step further 🙂
Of course if you have any hint, more than welcome!
04 Jul 2023 11:57 AM
Your current solution does not take into account a situation, where your defined tag is a substring of a larger tag. E.g. you're looking for a tag "dce", then your query would match things tagged with "abcde" as well.
You could consider the following query, maybe this helps:
fetch dt.entity.service
| fieldsAdd softwareTechnologies, tags
| filter matchesValue(tags, "my_tag")
04 Jul 2023 01:11 PM
Hi, thanks for hint. I tried your solution at the beginning but it does work if the tag is not in the key:value format.
Since in my case "myTag" key can assume several different values, if I use matchesValue(tags, "myTag") I wont' get any result.
It will provide results only by specifiying also the value, like
| filter matchesValue(tags, "myTag:myTagValue")
06 Jul 2023 02:12 PM
ah, clear. In that case it makes sense to use contains indeed. and the full solution for you might be something like this:
fetch dt.entity.service
| fieldsAdd softwareTechnologies, tags
| filter contains(toString(softwareTechnologies), "IBM_WEBSPHERE_APPLICATION_SERVER")
| expand tags
| filter contains(toString(tags), "<my_tag>:") // mind the colon at the end
| parse tags, "ld:key ':' ld:tag_value"
| summarize count(), by: {tag_value}
06 Jul 2023 01:53 PM
Hi,
Since the "tags" is essentially an array with multiple values, you would need to do an "expand" on that field. the matchesValue means that the value has to be exactly the same. If your tags contains a key:value pair, then you can also use a "contains"
fetch dt.entity.service
| fieldsAdd softwareTechnologies, tags
| expand tags
| filter contains(tags, "mytag")
06 Jul 2023 02:30 PM
@AmitChiba @Tiit_Hallas you were great!
Both your solutions work very well for my case.
Thanks a lot!
Paolo