Hi,
I'm trying to use a Custom Field Extraction to get some authorization data from some logs and then trying to find a ratio between successful/unsuccessful authorizations. The data I'm trying to extract looks like this inside my logs:
... "authorized":true ...
... "authorized":false ...
I've created a custom field extraction to get the number of occurrences of "true" and "false":
(?i)".*?"authorized":(?P<AUTHORIZED>[a-z]+)(?=,)
When I run the search command:
sourcetype=test_host_console host=test_host* AUTHORIZED=* | timechart count by AUTHORIZED
I correctly obtain columns with the corresponding number of falses and trues
However, when I try to calculate a ratio between them and try to sort by host using this search command:
sourcetype=test_host_console host=test_host* AUTHORIZED=* | stats count(eval(AUTHORIZED=false)) as FALSE, count(eval(AUTHORIZED=true)) as TRUE by host | eval RATIO=FALSE/TRUE
I get all of 0's for my results. I'm not really sure what's wrong with my search command. Any help would be much appreciated.
Thanks
... View more