There are 2 kinds of log:
one is error log
the other is access log.
In error log, there is a field requestUrl
. value format is https://google.com/home.html
.
In access log, there is field requestPath
, value format is /home.html
.
I want to combine them with requestUrl
and requestPath
, and then count the error rate.
The query I used likes:
index=app..eventName=xxx| rex field=requestUrl "https://google.com(?<**path**>.*)" | stats count as failureCount | appendcols [search index=app .. requestPath=$**path**$| stats count as total]
The variable **path**
cannot be passed to requestPath
in subsearch
. I can only get total=0
.
Anyone know how to get the path
from the first search passed to subsearch?
Also, you cannot use asterisks ( * ) in a field name. Maybe that is the only problem that you are having?
I use following query. It works if base search result is not null. But get error if base search result is null - Error in 'map': Did not find value for required attribute 'commonPath'.
What can I do to skip the subsearch and set successRate
to 100
when no numError
?
index=app .. eventName=xxx| rex field=requestUrl "([^/]+://)?[^/]+(?/.*)" |stats count as numError by commonPath| map search="search index=app .. requestPath=$commonPath$| stats count as total by requestPath | eval successRate=(numTotal - $numError$)/numTotal*100 "
Thanks jplumsdaine22 & woodcock.
I cannot use requestUrl/eventName to count numErrors directly. I need to filter errors with other fields, like level=error. And this field exists only in event log not in access log.
So I decide to use map command even it is inefficient. Thanks for your help. 🙂
Generally, this is done with the map
command but that would be way too inefficient for this use-case.
Try this (put your special stuff instead of ...
😞
index=app ... | rex field=requestUrl "([^/]+://)?[^/]+(?<commonPath>/.*)"
| eval commonPath=coalesce(commonPath, requestPath)
| stats count(eval(isnotnull(requestUrl))) AS numErrors count(eval(isnotnull(requestPathl))) AS numHits by commonPath
| where numErrors>0
This shows you only those path
values that have errors and shows both a hit-count and error-count.
You may be better off doing this backwards.
index=app [index=app..eventName=xxx| rex field=requestUrl "https://google.com(?.*)" |fields requestPath]
|stats count as Total count(eval(eventName="xxx")) as Failures by requestPath