ELB parsing specific field values
Hi,
I'm trying to tailor the Total Requests by Load Balancer query to display results for 2 load balancers instead of the total amount of 5.
The following query should hopefully give you an idea of what I'm trying to achieve:
_sourceCategory = "<sourceName>"
| parse "* * * * * * * * * * * \"*\" \"*\" * *" as datetime, ELB_Server, client, backend, request_processing_time, backend_processing_time, response_processing_time, elb_status_code, backend_status_code, received_bytes, sent_bytes, request,user_agent,ssl_cipher,ssl_protocol
| parse field=request "* *://*:*/* HTTP" as method, protocol, domain, server_port, path nodrop
| parse field=client "*:*" as clientIP, port nodrop
| parse field=backend "*:*" as backendIP, backend_port nodrop
| fields - request, client, backend
// Parse all fields above, then aggregate
| where ELB_Server matches "ELB-number1" or ELB_Server matches "ELB-number2"
| count by elb_server
| sort _count
The above query only yields results from ELB-number1, ignoring ELB-number2. Is there a way combine the 2 and produce a count that adds ELB-number1 and ELB-number2?
Any questions please ask.
Ben
-
Ben,
you should be able to do just a count, without the group by. I also moved the where clause up for efficiency purposes:
_sourceCategory = "<sourceName>"
| parse "* * * * * * * * * * * \"*\" \"*\" * *" as datetime, ELB_Server, client, backend, request_processing_time, backend_processing_time, response_processing_time, elb_status_code, backend_status_code, received_bytes, sent_bytes, request,user_agent,ssl_cipher,ssl_protocol
| where ELB_Server matches "ELB-number1" or ELB_Server matches "ELB-number2"
| parse field=request "* *://*:*/* HTTP" as method, protocol, domain, server_port, path nodrop
| parse field=client "*:*" as clientIP, port nodrop
| parse field=backend "*:*" as backendIP, backend_port nodrop
| fields - request, client, backend
// Parse all fields above, then aggregate
| count
| sort _count
Please sign in to leave a comment.
Comments
2 comments