Hi All,
I have the below two event logs:
Event1:
ns=app1, id=12,Error='400', Service='CallGetAccount'
Event2:
ns=app1, id=12,', Service='CallGetRetro', Account='12345'
Now I have the below Search query =>
ns=app1 Error='400'
Above gives me the Event 1 where I have an error code of 400.
Kindly let me know how to fetch id from Event 1 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .
Thank you!
Like this:
ns=app1 [ns=app1 Error='400' | table id]
| stats count BY id
| search count>1
| stats count
Perhaps this will help get you started.
ns=app1 | transaction id startswith=eval(Error='400') | eval OutputField1=if(eventcount==2, 1, 0), OutputField2=if(eventcount==1, 1, 0) | stats sum(OutputField1) as OutputField1 sum(OutputField2) as OutputField2 | table OutputField2 OutputField2
Thank you.
Event1:
ns=app1, id=12, [ErrorResponse] Service='CallGetAccount'
Event2:
ns=app1, id=12,', Service='CallGetRetro', Account='12345'
Now I have the below Search query =>
ns=app1 ErrorResponse
Above gives me the Event 1 where I have an error.
Kindly let me know how to fetch id from Event 1 i.e. id=12 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .
Thank you
In order to search for the error records, I use :
ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse
Here I get an event like:
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234
Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.
Thank you!
That is different from your original question. It's difficult to provide an answer when the question changes.
My bad. I misread/misunderstood the logs. Kindly provide the guidance for my recent posted query.
Try this.
ns=app1 appId=* [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | return ActNo]
| stats sum(eval(appId=='New1')) as counter1 sum(eval(appId!='New1')) as counter2