I'm trying to wrap my head around assigning a variable to field values that have been consolidated by wildcard. The specific field is a url which contains unique values, but can be consolidated by wildcard:
Each of these has statusCode, timestamp, etc fields associated. I am needing to do a count of how many times /api/v1/data/dataInfo/* had a 404 response, and how many times /api/v1/data/validate had a 404 response, ideally in a timechart. Without consolidating to a wildcard, I have hundreds of results, because the hash that I'm consolidating via wildcard is unique.
I've tried the following, but it errors on "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '/api/v1/data/dataInfo/*)'." I take this to mean I can't use eval/if with a wildcard.
index=data_index environment=Production clientName="DataTool" statusCode=404 | eval dpInfo = if(url=/api/v1/data/dataInfo/*) | eval validate = if(url=/api/v1/data/validate) | timechart count
Any ideas would be very much appreciated!
index=data_index environment=Production clientName="DataTool" statusCode=404 | timechart count(eval(match(url, "^/api/v1/data/dataInfo/"))) AS dpinvo count(eval(match(url, "^/api/v1/data/validate$"))) AS validate
Good point; I should not have had the
* there at all (I modified my answer). I could have put in
.* but it would have been redundant for the need and waste effort for the RegEx parser.
To use wildcards in
eval, use the
... | eval dpInfo = if (match(url,"/api/v1/data/dataInfo/.*") | ... ... | eval dpInfo = if (like(url, "/api/v1/data/dataInfo/%") | ...