I am trying to count occurrences of events from raw logs. Basically, if the log contains the string "MediaFailed", then count it. The difficulty is this string is not part of a key-value pair so I can't do an equality statement. I'm just looking for its existence within the entire log. I have tried the following, unsuccessfully:
| eval failures=case(match(_raw,"MediaFailed"),uuid)
Any help is appreciated!
Something like this would work?
| eval failures=if(match(_raw,"*MediaFailed*"),1,0)
You can just use the string "MediaFailed" as a part of your search, something like:
source=<whatever> "MediaFailed" | stats count
That will search it matching the case.