Hello,
I have the below SPL with the two mvindex functions.
mvindex position '6' in the array is supposed to apply http statuses for /developers.
mvindex position '10' in the array is supposed...
See more...
Hello,
I have the below SPL with the two mvindex functions.
mvindex position '6' in the array is supposed to apply http statuses for /developers.
mvindex position '10' in the array is supposed to apply http statuses for /apps.
Currently position 6 and 10 are crossing events. Applying to both APIs. Is there anyway I can have one mvindex apply to one command?
(index=wf_pvsi_virt OR index=wf_pvsi_tmps) (sourcetype="wf:wca:access:txt" OR sourcetype="wf:devp1:access:txt") wf_env=PROD
| eval temp=split(_raw," ")
| eval API=mvindex(temp,4,8)
| eval http_status=mvindex(temp,6,10)
| search (
"/services/protected/v1/developers" OR
"/wcaapi/userReg/wgt/apps"
)
| search NOT "Mozilla"
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)