28 Jun 2024 09:34 AM - last edited on 01 Jul 2024 11:59 AM by MaciejNeumann
I have a variable defined as such:
fetch `dt.entity.cloudsqs`
| fields tags
| expand tags
| filter contains(tags, "[AWS]environment")
| sort tags asc
| summarize environments = collectDistinct(tags)
which is practical because later on, when the variable is used, I can use the value as-is without transformations
However, this display values as "[AWS]environment:prod", which I find to be quite bad UX
With a query like:
fetch dt.entity.cloudsqs
| fields tags
| expand tags
| filter contains(tags, "[AWS]environment")
| parse tags, """LD ':' LD:value"""
| fieldsRemove tags
| sort value asc
| summarize environments = collectDistinct(value)
I can get only my values, but the variable is hard to use as it is not the complete tag
Is there a way to display only the value and get the tag? Or a good way to transform from one to the other later on (while using multi-select)?
Solved! Go to Solution.
28 Jun 2024 09:43 PM
You can parse out complete information from tag string. Here is just a bit more complex query getting all parts of tag:
fetch dt.entity.host
| fields tags
| expand tags
| parse tags, """(('[' , LD:tag.context , ']' , LD:tag.name ) | LD:tag.name) ':' LD:tag.value"""
| summarize { tag.values=collectDistinct( tag.value ) }, by: { tag.context, tag.name }
| fieldsAdd tag.values.size = arraySize(tag.values)
summarizing all possible contexts (even if not present) and tag names. Result looks like this: