Parse message one of two ways

Follow

Jacob Voller

• July 14, 2015 15:45

We have API calls that meet one of two formats:
1) "/api//?" as controller, endpoint, filtr
2) "/api/?*" filtr

What's the best way to filter all messages on one or the other, but not both?

0

• 

  David Wynn

  • July 14, 2015 16:54

  Jacob,

  If you need to do this in one query, I would probably take this in stages and parse the data with nodrop, followed by a dummy field to determine the condition you're looking for. An example might look like the following:

      "api"
      | parse "<first parse>" as controlle, endpoint, filtr nodrop
      | parse "<second parse>" as filtr nodrop
      | if( (filtr!="" AND filtr="") OR (filtr="" AND filtr2!=""), 1, 0) as test
      | where test != 0

  Depending on your parse statement, you may also need to check if the fields return as null as well.

  0

  Comment actions Permalink
• 

  O A

  • December 14, 2015 19:21

  What does this part do?

  | if( (filtr!="" AND filtr="") OR (filtr="" AND filtr2!=""), 1, 0) as test
  | where test != 0

  0

  Comment actions Permalink
• 

  David Wynn

  • December 14, 2015 23:46

  Hmmm... yeah that's not very clear as I look it over again. Let me be more clear about what I was going for:

  === Situation ===

  There are two api calls coming into a system with a common expression. In this case its filtr, presumably an api key of some kind, but it could be anything. The goal is to highlight filtr's where only one api call exists, rather than the two.

  === Answer ===

  I would go about this a little differently today, counting by the filtr and narrowing it down from there rather than trying to display the whole message.

      "api"
      | parse "<first parse>" as controlle, endpoint, filtr nodrop
      | parse "<second parse>" as filtr nodrop
      | count by filtr
      | where filter < 2

  The will give you your target filtr's, so you can drill in from there.

  0

  Comment actions Permalink

Please sign in to leave a comment.