I’m having a really hard time figuring out how match on either 1 or 2 fields and then get additional fields.
I have been trying out the pivot function but cannot quite get it working.
This is syslog using syslog plugin and I have extracted some incoming data into new fields (ip1 and ip2)
Now I want to query either ip1 and ip2 and get both ip1 and ip2 fields back along with the message field.
Lets just query ip1 for an ip number:
from(bucket: "syslog") |> range(start: v.timeRangeStart, stop: v.timeRangeStop) |> filter(fn: (r) => r["_measurement"] == "syslog") |> filter(fn: (r) => r._field == "ip1" and r._value == "184.108.40.206")
This returns all tags + ip1.
How would I go on to also include message and ip2 field in the result?
If I also search in ip2 field I’m getting the ip2 field back as result as well, but then I don’t want to query message field with anything but still get whatever it returns.
I’m not sure if results are overwriting each other or that you aren’t supposed to get fields back that you haven’t queried?
Scenario is that I always want ip1, ip2 and message fields in the results regardless which one of these I’m querying specifically.