13 May 2024 06:05 AM
Imagine I have logs coming from a Kubernetes cluster which I can retrieve successfully with this:
fetch logs
| filter k8s.namespace.name == "some-namespace-here"
| filter matchesPhrase(content, "someValue")
I can also run this app locally (or outside kubernetes), in which case, the DQL needs to be:
fetch logs
| filter matchesPhrase(content, "someValue")
Rather than create two tiles, is is possible to dynamically achieve this? So that a single tile works in both environments?
I imagined creating a dashboard level variable: "Kubernetes Mode: on / off" and toggling that would (somehow) reconfigure the DQL.
Solved! Go to Solution.
13 May 2024 06:48 AM
Let's define variable this way:
Then the condition can look like this:
| filter ($KubernetesMode=="on" and k8s.namespace.name == "some-namespace-here")
or ($KubernetesMode=="off" and isNull(k8s.namespace.name))
The reason I used isNull for "off" case is that without it the query would take all log lines: from Kubernetes as well as from local case.
You can also approach the problem in more dynamic way using variable based on DQL query defined this way:
fetch dt.entity.cloud_application_namespace
| fields entity.name
| dedup entity.name
| append [data record(entity.name="<local>")]
Then the filter reacting to any namespace selected would look like this:
| filter ($KubernetesMode!="<local>" and k8s.namespace.name == $KubernetesMode)
or ($KubernetesMode=="<local>" and isNull(k8s.namespace.name))
Now you can switch between different namespaces and log lined without namespace set (local)
Kris
13 May 2024 07:30 AM - edited 13 May 2024 07:30 AM
Thanks Krzysztof, I'll experiment with this tomorrow
15 May 2024 06:37 AM
Works perfectly, thanks!