the events data set looks like this:
2:05:34.067 PM 3DS: auth_validate_success Proceeding with payment authorization country=DE, currency=EUR
2:05:33.220 PM 3DS: auth_validate country=DE, currency=EUR
1:40:28.684 PM 3DS: auth_validate_success Proceeding with payment authorization country=CY, currency=EUR
1:40:28.237 PM 3DS: auth_validate country=CY, currency=EUR
1:33:40.604 PM 3DS: auth_validate_success Proceeding with payment authorization country=CY, currency=EUR
1:33:40.108 PM 3DS: auth_validate country=CY, currency=EUR
1:07:06.813 PM 3DS: auth_validate_success Proceeding with payment authorization country=DE, currency=EUR
1:07:06.147 PM 3DS: auth_validate country=DE, currency=EUR
1:03:51.530 PM 3DS: auth_validate_success Proceeding with payment authorization country=DE, currency=EUR
1:03:51.117 PM 3DS: auth_validate country=DE, currency=EUR
12:11:21.673 AM 3DS: auth_validate_success Proceeding with payment authorization country=DE, currency=EUR
12:11:21.017 AM 3DS: auth_validate country=DE, currency=EUR
my search query:
"3DS: auth_validate country" OR "3DS: auth_validate_success" OR "3DS: auth_validate_error" OR "3DS: auth_validate_exception"
| chart
count(eval(searchmatch("3DS: auth_validate country"))) AS Validate_total
count(eval(searchmatch("3DS: auth_validate_success"))) AS Validate_success
count(eval(searchmatch("3DS: auth_validate_error"))) AS Validate_error
count(eval(searchmatch("3DS: auth_validate_exception"))) AS Validate_exception
by country
| table country, Validate_total, Validate_success, Validate_error, Validate_exception,
| rename Validate_total as "Total Validate Calls"
| rename Validate_success as "Validate Success"
| rename Validate_error as "Validate Error"
| rename Validate_exception as "Validate Exception "
| sort - Validate_total
but the returned table shows double amount of the first string, I was expecting the Total Validate calls to be 2 and 4 too.
country Total Validate Calls Validate Success Validate Error Validate Exception
CY 4 2 0 0
DE 8 4 0 0
I can't figure out why. First I suspected it to be a string indexing issue, but if I use the same string in a separate query, it works fine.
Any help greatly appreciated!
The docs say searchmatch
has to be used within if
so perhaps that's what's causing the problem. Try this alternative query:
"3DS: auth_validate country" OR "3DS: auth_validate_success" OR "3DS: auth_validate_error" OR "3DS: auth_validate_exception"
| stats
count(eval(like(_raw, "%3DS: auth_validate country%"))) AS Validate_total,
count(eval(like(_raw, "%3DS: auth_validate_success%"))) AS Validate_success,
count(eval(like(_raw, "%3DS: auth_validate_error%"))) AS Validate_error,
count(eval(like(_raw, "%3DS: auth_validate_exception%"))) AS Validate_exception
by country
| table country, Validate_total, Validate_success, Validate_error, Validate_exception,
| sort - Validate_total
| rename country as Country
| rename Validate_total as "Total Validate Calls"
| rename Validate_success as "Validate Success"
| rename Validate_error as "Validate Error"
| rename Validate_exception as "Validate Exception "
The docs say searchmatch
has to be used within if
so perhaps that's what's causing the problem. Try this alternative query:
"3DS: auth_validate country" OR "3DS: auth_validate_success" OR "3DS: auth_validate_error" OR "3DS: auth_validate_exception"
| stats
count(eval(like(_raw, "%3DS: auth_validate country%"))) AS Validate_total,
count(eval(like(_raw, "%3DS: auth_validate_success%"))) AS Validate_success,
count(eval(like(_raw, "%3DS: auth_validate_error%"))) AS Validate_error,
count(eval(like(_raw, "%3DS: auth_validate_exception%"))) AS Validate_exception
by country
| table country, Validate_total, Validate_success, Validate_error, Validate_exception,
| sort - Validate_total
| rename country as Country
| rename Validate_total as "Total Validate Calls"
| rename Validate_success as "Validate Success"
| rename Validate_error as "Validate Error"
| rename Validate_exception as "Validate Exception "
Thanks, that works!