Parse message one of two ways
We have API calls that meet one of two formats:
1) "/api//?" as controller, endpoint, filtr
2) "/api/?*" filtr
What's the best way to filter all messages on one or the other, but not both?
-
Jacob,
If you need to do this in one query, I would probably take this in stages and parse the data with nodrop, followed by a dummy field to determine the condition you're looking for. An example might look like the following:
"api"
| parse "<first parse>" as controlle, endpoint, filtr nodrop
| parse "<second parse>" as filtr nodrop
| if( (filtr!="" AND filtr="") OR (filtr="" AND filtr2!=""), 1, 0) as test
| where test != 0Depending on your parse statement, you may also need to check if the fields return as null as well.
-
Hmmm... yeah that's not very clear as I look it over again. Let me be more clear about what I was going for:
=== Situation ===
There are two api calls coming into a system with a common expression. In this case its filtr, presumably an api key of some kind, but it could be anything. The goal is to highlight filtr's where only one api call exists, rather than the two.
=== Answer ===
I would go about this a little differently today, counting by the filtr and narrowing it down from there rather than trying to display the whole message.
"api"
| parse "<first parse>" as controlle, endpoint, filtr nodrop
| parse "<second parse>" as filtr nodrop
| count by filtr
| where filter < 2The will give you your target filtr's, so you can drill in from there.
Please sign in to leave a comment.
Comments
3 comments