My log entries consist of a single json object, like so:
{ Severity: "INFO", Message: { StatusCode: 200, Route: "/hello/world?x=1" } }
{ Severity: "WARN", Message: { StatusCode: 500, Route: "/hello/world?x=2" } }
Just as a test, I'm able to create the following panel in my dashboard:
index="my_index" | bucket span=10m _time | stats count(eval(Severity="WARN")) as warning by Message.Route, _time
This appears to work fine since the Severity property is at the root of the json object. However, if I switch to one of the subproperties of the object, it doesn't find any records:
index="my_index" | bucket span=10m _time | stats count(eval(Message.StatusCode="500")) as warning by Message.Route, _time
I should also point out that if I don't wrap the "500" in quotes, it gives me a typechecking error saying that the '==' operator is being applied to two different types of arguments (which doesn't make any sense, and might be contributing to this issue).
Please advise on how I can procede. This shouldn't be so difficult...
... View more
