Ok, looking to get a count of requests by "someId" in the following scenario:
Format 1: /foo?someId=s1234&nut=bang&baz=bar
Format 2: /foo?nut=bang&baz=bar&someId=s1234
Format 3: /foo?nut=bang&someId=s1234&baz=bar
I'd like to do something like:
parse "GET /*?" as uri | parse "?id=s*&" as some_id | parse "&id=s* " as some_id | where uri = "foo" | count by some_id
I realize that's not possible so what are my options? Is it possible to build a few searches and union those searches?
Please sign in to leave a comment.