different count with contains

Follow

Dekel Moyal

• April 18, 2019 08:25

Hi,

Sorry for the lame title didnt know exactly how to summarize what i need.

 

I have a Logfile that contains a few message:

serviceName - the name of the service

messageType - the type, im querying only "ERROR"

errorMessage - the actual error, this is a free text field that contains the error details, but the main reason is usually first (in some cases its not).

 

what i want is to run a count on how many errors i have from the same type.

for example:

i have these errorMessage:

1. id not found - id5435
2. id not found - id8873
3. user not authorized - user a222
4. general error - error not authenticated
5. error { error id 2 {error with user a2221 } }

what i want is to filter out the errorMessage field and to give each "contains" type i want a name, for example, if errorMessage contains ("id not found") call it "id issue", if errorMessage contains ("user not authorized") call it "auth issue" and so on, just to clarify the error doesnt have to appear first in the message thats why i'm using contains and not a regular parse with *

 

at the end, i want to count those items.

i want to have a count that will look like this:

• id issue - 2
• auth issue - 1
• general error - 2

 

so how do i do the above? looked in documentation but i didnt find anything, also looked in previous threads, sorry if i missed it.

 

thanks in advance for any help, if the issue is not clear, please reply and i'll add/edit more info.

0

• 

  James Fields

  • April 25, 2019 22:51
  • Edited

  Hi Dekel,

   

  From your description, what you would want to do is something similar to the following

  _source...

  | parse....

  | if(errorMessage matches "id not found*", "id issue",if(errorMessage matches "user not authorized*", "auth issue", "general error"))
  | count by errorMessage

  So this will attempt to match the errorMessage first to "id not found", and if that doesn't match, then to "user not authorized", and then assign "general error" if it matches neither of the previous values.

  Note that this is a nested if, and following the syntax you can additional matches:

  | if(errorMessage matches "id not found*", "id issue",if(errorMessage matches "user not authorized*", "auth issue", if(errorMessage matches " type3", "type3","general error")))

  The documentation for the if statement can be found at:

  https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/if-operator-and

  Thank you,

  James

  0

  Comment actions Permalink
• 

  Dekel Moyal

  • April 28, 2019 07:21

  @james thanks very much for the info, i dont know how i missed the nested if :D

  great solution, your example was very helpful, it didnt work first try, so i went into the doc u added, and i saw that i need to end it with "as" and name it, it works perfectly now!

   

  0

  Comment actions Permalink

Please sign in to leave a comment.