different count with contains

Comments

2 comments

  • Avatar
    James Fields

    Hi Dekel,

     

    From your description, what you would want to do is something similar to the following

    _source...

    | parse....

    | if(errorMessage matches "id not found*", "id issue",if(errorMessage matches "user not authorized*", "auth issue", "general error"))
    | count by errorMessage

    So this will attempt to match the errorMessage first to "id not found", and if that doesn't match, then to "user not authorized", and then assign "general error" if it matches neither of the previous values.

    Note that this is a nested if, and following the syntax you can additional matches:

    | if(errorMessage matches "id not found*", "id issue",if(errorMessage matches "user not authorized*", "auth issue", if(errorMessage matches " type3", "type3","general error")))

    The documentation for the if statement can be found at:

    https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/if-operator-and

    Thank you,

    James

    0
    Comment actions Permalink
  • Avatar
    Dekel Moyal

    @james thanks very much for the info, i dont know how i missed the nested if :D

    great solution, your example was very helpful, it didnt work first try, so i went into the doc u added, and i saw that i need to end it with "as" and name it, it works perfectly now!

     

    0
    Comment actions Permalink

Please sign in to leave a comment.