Now this one may be tough!
i have a working solution to join to metadata stored in an alertmetadata metric in prom like this:
label_replace(host_cpu_used_pct{host=~“.“},“Alert”,“AlertName”,“required_junk_label”,”.”) * on (Alert) group_left(app_name, AlertDataSource, AffectedProduct, AffectedBusinessProcess, AffectedBusinesProcessComponent,MitigationProcedureLink, AlertThresholdWarning,ThresholdCritical,RelevantSLA, PrimaryMetricCategory, PrimaryMetricMeasure) group by (Alert, AlertDataSource, AffectedProduct,AffectedBusinessProcess, AffectedBusinesProcessComponent, MitigationProcedureLink, AlertThresholdWarning, AlertThresholdCritical, RelevantSLA, PrimaryMetricCategory, PrimaryMetricMeasure) (alertmetadata{})
they key here is AlertName which matches to a metric in the alertmetadata time series and pulls back the labels shown. this works perfectly when querying a prom time series (host_cpu_used_pct). This adds a label called alert with value alertname to the returned time series.
i now want to do the same label_replace capability when querying against external data source in this case SPLUNK
label_replace(index=* source=* “EXECUTION HALTED”), “Alert”,“AlertName”,“required_junk_label”,“.*”) * on (Alert) group_left(app_name, AlertDataSource, AffectedProduct, AffectedBusinessProcess, AffectedBusinesProcessComponent,MitigationProcedureLink, AlertThresholdWarning,ThresholdCritical,RelevantSLA, PrimaryMetricCategory, PrimaryMetricMeasure) group by (Alert, AlertDataSource, AffectedProduct,AffectedBusinessProcess, AffectedBusinesProcessComponent, MitigationProcedureLink, AlertThresholdWarning, AlertThresholdCritical, RelevantSLA, PrimaryMetricCategory, PrimaryMetricMeasure) (alertmetadata{})
but i get unexpected = at char 20 when i try this
ive trading putting quotes around my splunk query but doesnt see to help and i get other erros . any thoughts on how to do this?