Timelion Chart Custom Label Issue

j_a_griffiths · October 22, 2019, 8:39am

Hi - Im trying to define a TimeLion visualisation usint the following expression

.es(corr,timefield=rt,split="DeviceVendor.keyword:10")

This works but the labels show ion the chart are as follows

q:corr > DeviceVendor.keyword:F-Secure > count
q:corr > DeviceVendor.keyword:Microsoft > count
q:corr > DeviceVendor.keyword:ArcSight > count
q:corr > DeviceVendor.keyword:Check Point > count

I want to make these look a little tidier so tried to specify my own label by changing the expression to

.es(corr,timefield=rt,split="DeviceVendor.keyword:10").label("[$1]", "^.* > DeviceVendor.keyword:(\S+) > .*")

The labels now show

[F-Secure]
[Microsoft]
[ArcSight]
q:corr > DeviceVendor.keyword:Check Point > count

Note the issue with the last label - is this caused by this vendor string having a space in it? if so how can I change it so that the space is ignored and I get
[Check Point] as the last label

Thanks for your help

markov00 · October 28, 2019, 6:15pm

Yes, that's the reason. If I'm not wrong you can fix the regex as the following:

.label("[$1]", "^.* > DeviceVendor.keyword(.*?) > .*")

system · November 25, 2019, 6:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.