Hi, i need to add filter to error query into total transaction query so that i can get filtered error counts as well as total transaction in two column with service name
This below query i am using to get total transaction and total errors
index="iss" Environment=PROD
| where Appid IN ("APP-61", "APP-85", "APP-69", "APP-41", "APP-57", "APP-71", "APP-50", "APP-87")
| rex field=_raw " (?<service_name>\w+)-prod"
| eval err_flag = if(level="ERROR", 1,0)
| eval success_flag = if(level!="ERROR", 1,0)
| stats sum(err_flag) as Total_Errors, sum(success_flag) as Total_Successes by service_name
| eval Total_Transaction = (Total_Successes+Total_Errors)
| fields service_name, Total_Transaction, Total_Errors, Total_Successes
i need to add search filter into errors so that it will only count those filtered errors not all errors and merge this below query into above one in err_flag line
index="iss" Environment=PROD "Invalid JS format" OR ":[down and unable to retrieve response" OR "[Unexpected error occurred" OR ": [An unknown error has occurred" OR "exception" OR OR IN THE SERVICE" OR "emplateErrorHandler : handleError :" OR "j.SocketException: Connection reset]" OR "Power Error Code" OR "[Couldn't kickstart handshaking]" OR "[Remote host terminated the handshake]" OR "Caused by:[JNObject" OR "processor during S call" OR javx OR "Error while calling" OR level="ERROR" NOT "NOT MATCH THE CTRACT" NOT "prea_too_large" NOT g-500 NOT G-400 NOT "re-submit the request" NOT "yuu is null" NOT "igests data" NOT "characters" NOT "Asset type" NOT "Inputs U" NOT "[null" NOT "Invalid gii"
Please help me it would be wonderful, Thankyou
According to your first search, whether an event is counted as error is solely determined by a field named level, and only when its value is "ERROR" do you consider the event an error. Is this correct? All you need to do is to literally combining this criterion and the filters in the second with OR logic. Something like
index="iss" Environment=PROD Appid IN ("APP-61", "APP-85", "APP-69", "APP-41", "APP-57", "APP-71", "APP-50", "APP-87")
( ("Invalid JS format" OR ":[down and unable to retrieve response"
OR "[Unexpected error occurred" OR ": [An unknown error has occurred"
OR "exception" OR "IN THE SERVICE" OR "emplateErrorHandler : handleError :"
OR "j.SocketException: Connection reset]" OR "Power Error Code"
OR "[Couldn't kickstart handshaking]"
OR "[Remote host terminated the handshake]" OR "Caused by:[JNObject"
OR "processor during S call" OR javx OR "Error while calling"
OR level="ERROR" NOT "NOT MATCH THE CTRACT" NOT "prea_too_large"
NOT g-500 NOT G-400 NOT "re-submit the request" NOT "yuu is null"
NOT "igests data" NOT "characters" NOT "Asset type"
NOT "Inputs U" NOT "[null" NOT "Invalid gii"
) OR level!=ERROR)
| rex field=_raw " (?<service_name>\w+)-prod"
| eval err_flag = if(level="ERROR", 1,0)
| eval success_flag = if(level!="ERROR", 1,0)
| stats sum(err_flag) as Total_Errors, sum(success_flag) as Total_Successes by service_name
| eval Total_Transaction = (Total_Successes+Total_Errors)
| fields service_name, Total_Transaction, Total_Errors, Total_Successes
Note I removed the "| where" command in the first because it is more efficient to place the simple filter as a search filter. I also corrected a syntax error in the second from OR OR IN THE SERVICE" to OR "IN THE SERVICE". If any of these changes semantics, make adjustments. Hope this helps.
According to your first search, whether an event is counted as error is solely determined by a field named level, and only when its value is "ERROR" do you consider the event an error. Is this correct? All you need to do is to literally combining this criterion and the filters in the second with OR logic. Something like
index="iss" Environment=PROD Appid IN ("APP-61", "APP-85", "APP-69", "APP-41", "APP-57", "APP-71", "APP-50", "APP-87")
( ("Invalid JS format" OR ":[down and unable to retrieve response"
OR "[Unexpected error occurred" OR ": [An unknown error has occurred"
OR "exception" OR "IN THE SERVICE" OR "emplateErrorHandler : handleError :"
OR "j.SocketException: Connection reset]" OR "Power Error Code"
OR "[Couldn't kickstart handshaking]"
OR "[Remote host terminated the handshake]" OR "Caused by:[JNObject"
OR "processor during S call" OR javx OR "Error while calling"
OR level="ERROR" NOT "NOT MATCH THE CTRACT" NOT "prea_too_large"
NOT g-500 NOT G-400 NOT "re-submit the request" NOT "yuu is null"
NOT "igests data" NOT "characters" NOT "Asset type"
NOT "Inputs U" NOT "[null" NOT "Invalid gii"
) OR level!=ERROR)
| rex field=_raw " (?<service_name>\w+)-prod"
| eval err_flag = if(level="ERROR", 1,0)
| eval success_flag = if(level!="ERROR", 1,0)
| stats sum(err_flag) as Total_Errors, sum(success_flag) as Total_Successes by service_name
| eval Total_Transaction = (Total_Successes+Total_Errors)
| fields service_name, Total_Transaction, Total_Errors, Total_Successes
Note I removed the "| where" command in the first because it is more efficient to place the simple filter as a search filter. I also corrected a syntax error in the second from OR OR IN THE SERVICE" to OR "IN THE SERVICE". If any of these changes semantics, make adjustments. Hope this helps.