I have an ELB query that I am trying to tailor for my needs. See below.
This query pulls out the correct data just fine, however, I'd like to add a new field that lists the ELB_Server name. This would result in 4 columns.
How would I edit the below query to accomodate this?
_sourceCategory = "<sourceCategory>"
| parse "* * * * * * * * * * * \"*\" \"*\" * *" as datetime, ELB_Server, client, backend, request_processing_time, backend_processing_time, response_processing_time, elb_status_code, backend_status_code, received_bytes, sent_bytes, request,user_agent,ssl_cipher,ssl_protocol
| parse field=request "* *://*:*/* HTTP" as method, protocol, domain, server_port, path nodrop
| parse field=client "*:*" as clientIP, port nodrop
| parse field=backend "*:*" as backendIP, backend_port nodrop
| fields - request, client, backend
| where (backend_status_code matches "5*") or (backend_status_code matches "4*")
| if (backend_status_code matches "5*",1,0) as backend_5XX
| if (backend_status_code matches "4*",1,0) as backend_4XX
| sum(backend_4XX) as backend_4XX, sum(backend_5XX) as backend_5XX by domain
| limit 20
| sort by backend_4XX
Please sign in to leave a comment.