I have hundreds of URLs in my logs like below:
'GET /service/product/details '
'POST /service/product/eligibile '
'POST /service/tour/details '
I want to group these as per feature. Right now, my search is something like this:
eval FEATURE_NAME=case(url=="'POST /service/product/eligibile '" OR url=="'GET /service/product/details '", "PRODUCT_SERVICE", url=="'POST /service/tour/details '", "TOUR_SERVICE" | table FEATURE_NAME
When I have like 30 URLs from one service, the search becomes huge. Can someone please help if we can do some matching like get all "*/product/*"
collected in "PRODUCT_SERVICE"?
you could probably do an eval
|eval PRODUCT_SERVICE=match(url,"\/product\/")
|eval TOUR_SERVICE=match(url,"\/tour\/")
|eval FEATURE_NAME=case(isnotnull(PRODUCT_SERVICE),"PRODUCT_SERVICE",isnotnull(TOUR_SERVICE),"TOUR_SERVICE")
a case might work
|eval FEATURE_NAME=case(match(url,"\/product\/"),PRODUCT_SERVICE,match(url,"\/tour\/"),TOUR_SERVICE)
Why not use makemv & mvindex
instead. Like this
| makemv url delim="/"
| eval url1=upper(mvindex(url, 2)."_".mvindex(url, 1))
| table url url1
Here is a run-anywhere sample with your data
| makeresults
| eval url="POST /service/product/eligibile;GET /service/product/details;POST /service/tour/details"
| makemv url delim=";"
| mvexpand url
| makemv url delim="/"
| eval url1=upper(mvindex(url, 2)."_".mvindex(url, 1))
| table url url1
you could probably do an eval
|eval PRODUCT_SERVICE=match(url,"\/product\/")
|eval TOUR_SERVICE=match(url,"\/tour\/")
|eval FEATURE_NAME=case(isnotnull(PRODUCT_SERVICE),"PRODUCT_SERVICE",isnotnull(TOUR_SERVICE),"TOUR_SERVICE")
a case might work
|eval FEATURE_NAME=case(match(url,"\/product\/"),PRODUCT_SERVICE,match(url,"\/tour\/"),TOUR_SERVICE)