I have this search which is not returning any result, I am not sure of the issue. Any help?
index=my_index status!=200 | stats count(status) as TOTAL_FAILURES | eval FAILURES=if(status!=200,1,0) | eval ERROR_TYPE="" | eval ERROR_TYPE=case(match(status, "401"), "401 UnAuthorized", match(status, "400"), "400 Bad Request", match(status, "502"), "502 Bad Gateway", match(status, "500"), "500 Internal Server Error", match(status, "404"), "404 Not Found", match(status, "403"), "403 Forbidden", match(status, "302"), "302 URL Redirection", match(status, "204"), "204 No Content") | stats sum(FAILURES) as FAILURES, count by ERROR_TYPE | eval FAILURE_RATE=(FAILURES/TOTAL_FAILURES)*100 | eval STATUS=case(FAILURE_RATE > 95, "RED", FAILURE_RATE > 50, "ORANGE", FAILURE_RATE < 51,"GREEN", 1=1, UNKNOWN) | table ERROR_TYPE, TOTAL_FAILURES, FAILURES, FAILURE_RATE, STATUS
Firstly, after the "stats count(status) as TOTAL_FAILURES" part at the beginning of your search, you will only be left with one field, TOTAL_FAILURES, which will have a numeric value of the number of events which contain the field status. The status field will no longer exist so all other evals after that won't work.
Firstly, after the "stats count(status) as TOTAL_FAILURES" part at the beginning of your search, you will only be left with one field, TOTAL_FAILURES, which will have a numeric value of the number of events which contain the field status. The status field will no longer exist so all other evals after that won't work.
Thanks @Iquinn, this helped.