Hello,
I'm trying to use the searchmatch command to create a field that has two values, success and exceptions. I am also using the count command to count the number the successes and exceptions after the field has been created. This is my current search:
host="inf012prd*.ipacc.com" source="/logging/PaymentsServiceV3/inf012prd*.ipacc.com/ipacc.log" OR source="/logging/PaymentsServiceV3/inf012prd*.ipacc.com/error.log" | eval Payments=if(searchmatch("source=/logging/PaymentsServiceV3/inf012prd*.ipacc.com/ipacc.log" "*Payment Request: *")"Success",STATE) | eval Errors=if(searchmatch("source=/logging/PaymentsServiceV3/inf012prd*.ipacc.com/error.log")"Exceptions",STATE)| timechart span=1d count(Success) as Success, count(Errors) as Errors
Yet, each time I run the search, I only get this:
Error in 'eval' command: The expression is malformed. Expected ).
What is wrong with my syntax? Any help is appreciated.
You are missing some commas; try this:
host="inf012prd*.ipacc.com" source="/logging/PaymentsServiceV3/inf012prd*.ipacc.com/ipacc.log" OR source="/logging/PaymentsServiceV3/inf012prd*.ipacc.com/error.log" | eval Payments=if(searchmatch("source=/logging/PaymentsServiceV3/inf012prd*.ipacc.com/ipacc.log" "*Payment Request: *"),"Success",STATE) | eval Errors=if(searchmatch("source=/logging/PaymentsServiceV3/inf012prd*.ipacc.com/error.log"),"Exceptions",STATE)| timechart span=1d count(Success) as Success, count(Errors) as Errors
You are missing some commas; try this:
host="inf012prd*.ipacc.com" source="/logging/PaymentsServiceV3/inf012prd*.ipacc.com/ipacc.log" OR source="/logging/PaymentsServiceV3/inf012prd*.ipacc.com/error.log" | eval Payments=if(searchmatch("source=/logging/PaymentsServiceV3/inf012prd*.ipacc.com/ipacc.log" "*Payment Request: *"),"Success",STATE) | eval Errors=if(searchmatch("source=/logging/PaymentsServiceV3/inf012prd*.ipacc.com/error.log"),"Exceptions",STATE)| timechart span=1d count(Success) as Success, count(Errors) as Errors
Unfortunately, that didn't work. Maybe it's something else? The parentheses seem to match up fine...
You are correct, it also has a problem with double-quotes. Try this:
host="inf012prd*.ipacc.com" source="/logging/PaymentsServiceV3/inf012prd*.ipacc.com/ipacc.log" OR source="/logging/PaymentsServiceV3/inf012prd*.ipacc.com/error.log" | eval Payments=if(searchmatch("source=/logging/PaymentsServiceV3/inf012prd*.ipacc.com/ipacc.log *Payment Request: *"),"Success",STATE) | eval Errors=if(searchmatch("source=/logging/PaymentsServiceV3/inf012prd*.ipacc.com/error.log"),"Exceptions",STATE)| timechart span=1d count(Success) as Success, count(Errors) as Errors
That did it. Thank you, woodcock.