Hello,

I have the following situation that I was hoping to use nested if's to solve. We have a series of errors that are only actionable if they appear over a period of time. Many of the errors share similar messages, so I was hoping to use wildcards to capture them all. Unfortunately, wildcards don't appear to work in if statements, so I was wondering if anyone with more experience (I'm a huge noob) could point me towards a better method that accomplishes the same goal. Here is my current query:

index=echelon sourcetype=echelon_error | eval error_type=if( message="Redis search failure*", "Search Failure", (if(message="PHP Fatal error:*", "PHP Fatal Errors", (if(message="sendsoaprequest failed*", "Soap Request Failed", (if(message="*Maximum execution time of 600 seconds exceeded*", "Max Execution Exceeded", (if(message="*Error creating performer_profile entry*", "Performer Profile Entry Error", (if(message="*exception='foo*", "MainController Failure", (if(program="/sync-staging.pl", "Staging Sync Error", ""))))))))))))) | Where error_type !="" | bucket _time span=1h | stats count AS program_count by program, error_type, _time | stats count AS program_occurred_in_x_different_hours, sum(program_count) AS error_occurrences_total by program, error_type | where program_occurred_in_x_different_hours > 1