Hi,
I have this query :
index="app" sourcetype="rxc" host="rxc-ip*" id=7 URL="/user/unauth" OR referer="https://quest.com/user/unauth*" earliest=-15m@m latest=now| dedup qid| eval "Error"=id+"-"+Name+"(Impacted-"+referer+"OR"+URL+")"| stats count by "Error"
What I am looking for is that it should count the occurrence of either URL or referer dedup the quid as some quid are common in both and then give me result like:
7-name:Impacted-/user/unauth 100
But stat is not working in this case for me ....probably because eval is not used correctly...can someone help?
Here's the breakdown of the Code:
index="app" sourcetype="rxc" host="rxc-ip*" id=7 URL="/user/unauth" OR referer="https://quest.com/user/unauth*" earliest=-15m@m latest=now
- [ Base search ]
| dedup qid
- Using dedup will remove all the duplicate for the specific field.
- Example : You have 30 events of "00001", and 10 events of "00002" in total of 50 events. Once you use the dedup command you will only got 1 event per each , meaning you will get only 2 rows
| eval "Error"=id+"-"+Name+"(Impacted-"+referer+"OR"+URL+")"
| stats count by "Error"
Also a screenshot or result would be helpful in this situation.