topic Re: How do you write a correlation search with a data model? in Knowledge Management

How do you write a correlation search with a data model?

test_qweqwe — Fri, 01 Dec 2017 20:11:53 GMT

Hello my little friends.
I have logs from tomcat and they joined Web Data Model, so that means that I can write correlation search by using a data model.

For example, I have this search:

sourcetype="tomcat:access:log" request_uri="*struts2-rest-showcase*" AND status="500" | stats latest(_raw) as "orig_raw" values(request_uri) as "uri" values(http_method) as method values(status) as status count by "host", "src"

And I want to remake this search using Data Model and right now I have no idea how to do it.

I I've looked at many default correlation searches by ESS to understand how to write my own search and dat searches by so advance level that I even don't understand how they work 😞

Re: How do you write a correlation search with a data model?

test_qweqwe — Fri, 01 Dec 2017 21:30:56 GMT

Maybe I'm wrong but I think if I will remake search that in my OP post by using Data Model it's will solve my another question.

Re: How do you write a correlation search with a data model?

woodcock — Sun, 03 Dec 2017 18:09:16 GMT

Try this;

| tstats summariesonly=t values(Web.url) AS url values(Web.http_method) AS method
WHERE Web.url="*struts2-rest-showcase*" AND Web.status="500"
BY Web.host Web.src

Do note that constraining to 500 means that the other status stuff is pointless because it will always be 500

Re: How do you write a correlation search with a data model?

test_qweqwe — Mon, 04 Dec 2017 11:52:08 GMT

this search not working, but I see how it's looks, tnx!