Hello,
I am using the following search:
index="ips_snaplogic""postsales" lvl="ERROR"| spath| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message.message
| timechart count BY msg
THis is the JSON I am trying to drill into, and grab the error message that I am trying to divide the chart by.
//XXX/projects/Sales_PostSales_processPostSaleOrder_VIP_CCT:{
"Service":"Enterprise Sales",
"Date":"09/19/2017 08:44:41.466",
"Environment":"XXX",
"Debug":"Error",
"Source":"PostSalesIntegration",
"Description":"Error::processPostSaleOrder_VIP_CCT. Error occurred while trying to process the message. Failed to execute HTTP request",
"Message_Unique_Id":null,
"Message_qualifier":null,
"JMSMessageID":null,
"Detail":{
"error":{
"message":"Failed to execute HTTP request",
"reason":"Read timed out",
"resolution":"Please check the Snap properties."
}
When I use timechart, I get a visual. When I use chart, no results. Any idea why?
Thanks
What's your query with chart command? What is the expected visualization with chart command?
I have updated my original question.
Could you also post the query that you use with chart
command? Do you select pie visualization for both?
Hi zeroCalm,
what options do you use in chart command ?
Bye.
Giuseppe
Options? I don't believe I understand the question. The original question shows my entire search string.
did you tried something like this using chart instead timechart?
index="ips_snaplogic""postsales" lvl="ERROR"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message.message
| bin _time span=1h
| chart count over _time BY msg
Bye.
Giuseppe
Now I am getting a chart, but the error message isnt showing.
Here is a screenshot.
Thanks again.
revie the message field extraction
Bye.
Giuseppe
This | spath output=msg path=Detail.error.message.message
should be replaced with this | spath output=msg path=Detail.error.message
If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe
Try this and see what happens...
index="ips_snaplogic""postsales" lvl="ERROR"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message
| bin _time span=1h
| chart count BY msg _time
Updated to eliminate extra ".message"
Thanks for the response, I am having the same results though.
@zerocalm - try again. There was an extra .message
in the code, probably inserted somehow when you changed timechart
to chart
.
|makeresults
| eval _raw="//XXX/projects/Sales_PostSales_processPostSaleOrder_VIP_CCT:{
\"Service\":\"Enterprise Sales\",
\"Date\":\"09/19/2017 08:44:41.466\",
\"Environment\":\"XXX\",
\"Debug\":\"Error\",
\"Source\":\"PostSalesIntegration\",
\"Description\":\"Error::processPostSaleOrder_VIP_CCT. Error occurred while trying to process the message. Failed to execute HTTP request\",
\"Message_Unique_Id\":null,
\"Message_qualifier\":null,
\"JMSMessageID\":null,
\"Detail\":{
\"error\":{
\"message\":\"Failed to execute HTTP request\",
\"reason\":\"Read timed out\",
\"resolution\":\"Please check the Snap properties.\"
}"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message
Thanks, I removed the extra .message, and I am still getting the same results.
Screenshot: