different count with contains
Hi,
Sorry for the lame title didnt know exactly how to summarize what i need.
I have a Logfile that contains a few message:
serviceName - the name of the service
messageType - the type, im querying only "ERROR"
errorMessage - the actual error, this is a free text field that contains the error details, but the main reason is usually first (in some cases its not).
what i want is to run a count on how many errors i have from the same type.
for example:
i have these errorMessage:
- id not found - id5435
- id not found - id8873
- user not authorized - user a222
- general error - error not authenticated
- error { error id 2 {error with user a2221 } }
what i want is to filter out the errorMessage field and to give each "contains" type i want a name, for example, if errorMessage contains ("id not found") call it "id issue", if errorMessage contains ("user not authorized") call it "auth issue" and so on, just to clarify the error doesnt have to appear first in the message thats why i'm using contains and not a regular parse with *
at the end, i want to count those items.
i want to have a count that will look like this:
- id issue - 2
- auth issue - 1
- general error - 2
so how do i do the above? looked in documentation but i didnt find anything, also looked in previous threads, sorry if i missed it.
thanks in advance for any help, if the issue is not clear, please reply and i'll add/edit more info.
-
Hi Dekel,
From your description, what you would want to do is something similar to the following
_source...
| parse....
| if(errorMessage matches "id not found*", "id issue",if(errorMessage matches "user not authorized*", "auth issue", "general error"))
| count by errorMessageSo this will attempt to match the errorMessage first to "id not found", and if that doesn't match, then to "user not authorized", and then assign "general error" if it matches neither of the previous values.
Note that this is a nested if, and following the syntax you can additional matches:
| if(errorMessage matches "id not found*", "id issue",if(errorMessage matches "user not authorized*", "auth issue", if(errorMessage matches " type3", "type3","general error")))
The documentation for the if statement can be found at:
https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/if-operator-and
Thank you,
James
Please sign in to leave a comment.
Comments
2 comments