My application logs will print each record with id. If the record has any error, it will display the Error field else it won't. I want to look for the error field in each record, if present I have to look for the values in Error field. If 'A', I have to increase the count for Error Code as 503 by 1, if 'B', I have to increase the count for Error Code as 504 by 1 and if Error field is not present in the record, I have to increase the count for response code of 200 by 1.
Actually, I think that I took you too literally in the other answer. I think that what you are really needing is aggregation counts like this:
|makeresults | eval raw="Timestamp: 2017-31-08 21:00:01 alpha-transform-id=random generated id, [Response] Service = alpha-transform, ResponseTime=200ms:::Timestamp: 2017-31-08 21:00:03 alpha-transform-id=random generated id, [Error Response] Service = alpha-transform, ResponseTime=200ms, Error='A'"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| kv
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."
| eval returnCode=case(Error="'A'", "503",
Error="'B'", "504",
true(), "200")
| stats count by returnCode
My Initial search condition is =>
ndex=ltm1_idx ns=app1 Service='trigger1' Id!='temp-12' | Search ErrorResponse
This will result in the event where I will get the Id's other then temp-12 e.g. 100, 123, 124, etc. Now I need to search using that Id value e.g. Id=100 and get an ActNo field value.
e.g. Event => ndex=ltm1_idx ns=app1 Service='trigger1' Id='100' ActNo=A123.
Now get this Account No field and check for its value either A123 or Not A123. If A123, add a counter to field1 and if not A123, add a counter to field2. And displaying the values of field 1 and field 2 for all the events found in Initial search above over a period of time.
In order to search for the error records, I use :
ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse
Here I get an event like:
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234
Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.
Thank you!
I believe you started over in another Question on answers that is better formulated, right?
Yes. And apologies for changing the contents as I was also not sure on the pattern of events I was getting. Thank you!
No problem; it just means that this Q&A are dead. Nothing to see. Move along.
Do it like this (probably not, though, see other answer):
| eval raw="Timestamp: 2017-31-08 21:00:01 alpha-transform-id=random generated id, [Response] Service = alpha-transform, ResponseTime=200ms:::Timestamp: 2017-31-08 21:00:03 alpha-transform-id=random generated id, [Error Response] Service = alpha-transform, ResponseTime=200ms, Error='A'"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| kv
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."
| eval fieldToInc=case(Error="'A'", "503",
Error="'B'", "504",
true(), "200")
| eval {fieldToInc}_T3mP = 1
| foreach *_T3mP [eval "<<MATCHSTR>>" = if(isnotnull($<<FIELD>>$), if(isnull($<<MATCHSTR>>$), 1, $<<MATCHSTR>>$ + 1), null()) ]
| fields - fieldToInc *_T3mP
Examples of events:
Without error:
Timestamp: 2017-31-08 21:00:01 alpha-transform-id=random generated id, [Response] Service = alpha-transform, ResponseTime=200ms ....
With error:
Timestamp: 2017-31-08 21:00:03 alpha-transform-id=random generated id, [Error Response] Service = alpha-transform, ResponseTime=200ms, Error='A' ....
Kindly let me know if I just put Index and Namespace in search bar and got above two records as an example. How can I search for Error field and then evaluate based on its value to assign a right error code.
I don't get it. This kind of situation always benefits from sample event data and desired mockup of final output.