Hi, I have saved search below Queryone and want to classify anything not falling under regx pattern for APIFamily in "URI "(?[/\w.]+/v\d+)/" " to classify as other category in search query 2, how can this be done in query 2 ?
Saved Search Queryone -
search environment=test
index=iis* NOT "GET / - 80" NOT "GET / - 443" NOT "/ping*" NOT "swagger"
|eval URI=lower(cs_uri_stem)
|rex field=URI "(?[/\w.]+/v\d+)/"
|regex APIFamily != "/content/v\d"
|regex APIFamily != "/appsettings/v\d"
|regex APIFamily != "/passbook/v\d"
| rex field=URI mode=sed "s/[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}/USER_ID/g"
| rex field=URI mode=sed "s/\/[0-9]+\/xid$/\/XID\/xid/g"
| rex field=URI mode=sed "s/{.*}/USER_ID/g"
| rex field=URI mode=sed "s/\/$//g"
Search Query 2 on QueryOne
| savedsearch QueryOne
| search *
| stats count as total, count(eval(sc_status>304)) as errors, count(eval(sc_status<304)) as pass by APIFamily
| eval error%=(errors/total)*100
| eval pass%=(pass/total)*100
| sort -total
It's not necessary (and generally discouraged) to post the same question 4 times.
Try this Query 2. It populates empty APIFamily fields with "OTHER".
| savedsearch FirstQuery
| search *
| fillnull value="OTHER" APIFamily
| stats count as total, count(eval(sc_status>304)) as errors, count(eval(sc_status<304)) as pass by APIFamily
It's not necessary (and generally discouraged) to post the same question 4 times.
Try this Query 2. It populates empty APIFamily fields with "OTHER".
| savedsearch FirstQuery
| search *
| fillnull value="OTHER" APIFamily
| stats count as total, count(eval(sc_status>304)) as errors, count(eval(sc_status<304)) as pass by APIFamily
that works, thanks
Reposting simplified query below, since no answers yet, I have saved search below FirstQuery and want to classify anything not falling under regx pattern for APIFamily in "URI "(?APIFamily[/\w.]+/v\d+)/" " to classify as other category in search query 2, how can this be done in query 2 ?
FirstQuery -
search environment=test
index=iis* NOT "GET / - 80" NOT "GET / - 443" NOT "/ping*" NOT "swagger"
|eval URI=lower(cs_uri_stem)
|rex field=URI "(?APIFamily[/\w.]+/v\d+)/"
Search Query 2 on FirstQuery
| savedsearch FirstQuery
| search *
| stats count as total, count(eval(sc_status>304)) as errors, count(eval(sc_status<304)) as pass by APIFamily
To make it simpler I have simplified the 2 queries
Saved Search Queryone -
search environment=test
index=iis* NOT "GET / - 80" NOT "GET / - 443" NOT "/ping*" NOT "swagger"
|eval URI=lower(cs_uri_stem)
|rex field=URI "(?[/\w.]+/v\d+)/"
| rex field=URI mode=sed "s/[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}/USER_ID/g"
Search Query 2 on QueryOne
| savedsearch QueryOne
| search *
| stats count as total, count(eval(sc_status>304)) as errors, count(eval(sc_status<304)) as pass by APIFamily