I am trying to do a search match based on a number of different criteria.
The below does not work.
sourcetype="iis-2" | extract auto=true | search cs_username | eval Product=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/|*/Product/Product*Overview/Global*|*/Product/Product*Overview/EMEA/*|*/Product/Product*Overview/APAC/|*/Product/Product*Overview/Americas/"),1,null()) | stats count(Product) as Product by date_month
The below does return results but I want to combine Product 1-5 into one column and add the results.
sourcetype="iis-2" | extract auto=true | search cs_username |
eval Product1=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/ |
eval Product2=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/Global*"),1,null()) |
eval Product3=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/EMEA/*"),1,null()) |
eval Product4=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/APAC/*"),1,null()) |
eval Product5=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/Americas/*"),1,null()) |
stats count(Product1) as Product1 count(Product2) as Product2 count(Product3) as Product3 count(Product4) as Product4 count(Product5) as Product5 by date_month
I cant use */Product/Product*Overview/*
as there are pages other than the ones above I do not want to include.
I am stuck, hope you can help.
This is the way you would use OR with rex. If your strings are correct, then this should work with the exception of /Product/Product.*Overview/. I left that out because from the looks of it you are specifying the overview/X strings that you want, and you said there are many that you don't want:
| rex field="cs_uri_stem" ".*(?<PRODUCT>/Product/Product.*Overview/Global.*|/Product/Product.*Overview/EMEA/.*|/Product/Product.*Overview/APAC/.*|/Product/Product.*Overview/Americas/.*)$" | eval Contact=if(match(cs_uri_stem,"/Contacts/ContactProfile/"),1,null())
This is the way you would use OR with rex. If your strings are correct, then this should work with the exception of /Product/Product.*Overview/. I left that out because from the looks of it you are specifying the overview/X strings that you want, and you said there are many that you don't want:
| rex field="cs_uri_stem" ".*(?<PRODUCT>/Product/Product.*Overview/Global.*|/Product/Product.*Overview/EMEA/.*|/Product/Product.*Overview/APAC/.*|/Product/Product.*Overview/Americas/.*)$" | eval Contact=if(match(cs_uri_stem,"/Contacts/ContactProfile/"),1,null())
Yes, if you also want to create the field Contact when the stem = that value only, then you would include that eval statement at the end. I tested it with different stems and it worked. I updated the query.
Is it possible to combine this in a query where I am also using eval on the cs_uri_stem,
eval Contact=if(match(cs_uri_stem,"/Contacts/*Contact*Profile/"),1,null()) |
I just added /Product/Product.*Overview/. to the query and it works great.
This works great, however I do need the....
/Product/Product.*Overview/
It used to be the case that this page was split by geo location and it is now not the case, so to do a query over the year I would need to include the below page but no pages underneath it.
/Product/Product.*Overview/
The problem with searchmatch is that is not regex, so separating searches with "|" (or) will not work. You can do it this way:
sourcetype="iis-2" | extract auto=true | search cs_username | eval Product=if(match(cs_uri_stem,"*/Product/Product*Overview/"),1,if(match(cs_uri_stem,"*/Product/Product*Overview/Global*"),1,if(match(cs_uri_stem,"*/Product/Product*Overview/EMEA/*"),1,if(match(cs_uri_stem),"*/Product/Product*Overview/APAC/"),1,if(match(cs_uri_stem,"*/Product/Product*Overview/Americas/"),1,null())))) | stats count(Product) as Product by date_month
Or A Non-nested version:
sourcetype="iis-2" | extract auto=true | search cs_username | eval Product=case(match(cs_uri_stem,"*/Product/Product*Overview/"),1,match(cs_uri_stem,"*/Product/Product*Overview/Global*"),1,match(cs_uri_stem,"*/Product/Product*Overview/EMEA/*"),1,match(cs_uri_stem,"*/Product/Product*Overview/APAC/"),1,match(cs_uri_stem,"*/Product/Product*Overview/Americas/"),1,1=1,null()) | stats count(Product) as Product by date_month
UPDATE
I fixed the syntax on the two searches.
Hi, Thanks for the response, I am just testing them now.
The first query comes back with...
Error in 'eval' command: The operator at ')' is invalid.
The Non-nested version come back with...
Error in 'eval' command: The operator at ',null())' is invalid.
Did either of these work for you?
Something like this:
sourcetype="iis-2" | extract auto=true | search cs_username |rex field=cs_uri_stem ".*(?
This probably won't work because I don't have the entire value string, but that is basically it to create a field called Global for that stem.
Can you post the full cs_uri_stem values?
Thanks for the reply. I have not done this before, how would I go about doing this?
I've never been able to get regex or wildcards to work in an if statement. You're best bet is probably creating a rex that will create a field for each. Once you have them as fields, then you can do pretty much whatever you want.