@ITWhisperer Based on the response i changed my query to below. index=stuff "kubernetes.labels.app"="some-stuff" | search "log.msg"="Response" "log.level"=30 "log.response.statusCode"=200 | spath ...
See more...
@ITWhisperer Based on the response i changed my query to below. index=stuff "kubernetes.labels.app"="some-stuff" | search "log.msg"="Response" "log.level"=30 "log.response.statusCode"=200 | spath "log.request.path"| rename "log.request.path" as url| eval url=if(mvindex(split(url,"/"),4)="namespace","/attribute/namespace/{id}",url) | eval url=if(mvindex(split(url,"/"),2)="schema","/spec-api/schema/{id}",url)| convert timeformat="%Y/%m/%d" ctime(_time) as date | stats min("log.context.duration") as RT_fastest max("log.context.duration") as RT_slowest p95("log.context.duration") as RT_p95 p99("log.context.duration") as
RT_p99 avg("log.context.duration") as RT_avg count(url) as Total_Req by url | sort Total_Req desc If you see, i had to write the eval twice for two different end points. But as my application grows, there may come different API's(endpoints) with the same patterns. And i would have to write the eval for each one of them. So, I was thinking is there a more generic way to group these types of API's into one rather than writing the eval again and again. I was looking into the "cluster" query, but was not able to get anything out of it.