Hi,
i need to add two queries so that they could come in different fields in one visualization, one will be the error and one will be success transaction.
index=sso Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY") - ERROR
index=sso Appid="APP-49" PROD ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request") - SUCCESS
need to add both the queries and provide the count for error and count for success but while using this query, sum of the error transaction level!=error so the error count is not matching.
index=ss Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY") OR index=sso ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request")
| rex field=_raw " (?<service_name>\w+)-prod"
| eval err_flag = if(environment="nonprod", 1,0)
| eval success_flag = if(level!="ERROR", 1,0)
| stats sum(err_flag) as total_errors, sum(success_flag) as total_successes by service_name
Please help it would be great.
Try something like this
index=sso Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY") OR ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request")
| rex field=_raw " (?<service_name>\w+)-prod"
| eval err_flag = if(searchmatch("Util.validateAuth" AND "METHOD_ENTRY"), 1,0)
| eval success_flag = if(searchmatch("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request"), 1,0)
| stats sum(err_flag) as total_errors, sum(success_flag) as total_successes by service_name
It is not working as if doesn't take AND and NOT in if command.
getting error : Error in 'EvalCommand': The expression is malformed. Expected ).
No, it's about the unescaped quotes in the searchmatch() argument. If it needs embedded strings, the quotes for those strings should be escaped.