I am super new to using the powerful eval command but cannot quite get my head around the syntax. Can someone help me?
I am trying to show stats to show how many useragents have the word bot somewhere in the field vs those that do not.
... | eval type=BOT if(useragent="*bot*")|eval type=NOT if(useragent!="*bot*")|stats count by type
Try:
... | eval type=if(match(useragent, ".*bot.*"), "BOT", "NOT")|stats count by type
Hi ppablo, it said that I did not have enough karma.
Thanks for confirming. It should be fixed now, but if you're still unable to comment on other users' answers/comments, just let me know.
Thanks both d and somesoni2, you were both correct. Thanks!
(I cannot add comments to your answers)
Hi @KindaWorking
Glad you got two awesome answers! Question though for you. What happened exactly when you tried to comment on their answers? Did you receive an error or did a message pop up saying something about not having enough karma or permissions? This might be a bug we thought was fixed already.
Try:
... | eval type=if(match(useragent, ".*bot.*"), "BOT", "NOT")|stats count by type
Try like this
your base search | eval type=if(like(useragent,"%bot%"),"BOT","NOT") | stats count by type