I would like to compare the result count of two search queries in one column chart (one column for each query and day)
The two queries are:
1) index=ex_prod sourcetype=backend /finish status:200 | timechart span=1d count by host
2) index=ex_prod sourcetype=backend /registration status:403 | timechart span=1d count by host
I think I need to store the search results of the two queries in an eval but I couldn't get it work as it is a string search and not just fields. Can anyone help me?
Try this:
index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
| eval type=if((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
| timechart span=1d count by type
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
Try this:
index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
| eval type=if((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
| timechart span=1d count by type
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
This worked almost, I just replaced the "if" with a "case" and it worked perfectly. So the final version would be:
index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
| eval type=case((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
| timechart span=1d count by type
Instead of conditions like like(_raw, "%/finish%")
, searchmatch function can be used:
searchmatch("finish")
Perfect, thx a lot. This is the keyword I was looking for (also for other stuff).
hello there,
hope i understand you r question
try this:
index=ex_prod sourcetype=backend "/finish" OR "/registration"
| rex "status\:(?<status>\d{3})"
| eval host_status = host."-".status
| timechart span=1d limit=0 count by host_status
hope it helps
Thank you also for this solution, but it was not exactly what i wanted. This solution gives me a column for each status and I can not differ which url was called. However, with some minor changes, this would also lead to a working solution.