Hey guys,
I asked a question recently about an appended column on a graph not selecting the correct events when it is clicked on. Iguinn provided me with a query(Thanks!) that allowed the columns to filter correctly and select the right events. I have to add two more columns to this graph, and I am running into the same problem I was having when I was trying to use append, which is that it does not filter the events correctly into the appended columns on the graph.
Both of these fields have been extracted and appear correctly when they are not appended.
My query is sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" | eval ErrorType = if(PhpFatal=="PHP Fatal error",PhpFatal,DrupalPHPFatal) | stats count by ErrorType | append [ search sourcetype=testing AccessDenied="Access Denied" OR PageNotFound="page not found" | eval ErrorType = if(AccessDenied=="access denied",AccessDenied,PageNotFound) | stats count by ErrorType ]
These commands both work when they are not appended. When I select either the AccessDenied column or the PageNotFound column, I get 0 events, even though the graph says there are three.
The search query when I select these appended columns is sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" | eval ErrorType = if(PhpFatal=="PHP Fatal error",PhpFatal,DrupalPHPFatal) | search ErrorType="access denied"
when I select one of these appended columns. If I select a non-appended column, the query is the same, except it says search ErrorType="PHP Fatal Error"
Why are appended columns not functioning properly on this graph?
Thanks
Use the same formula provided by Iguinn, since they are all coming from same sourcetype
sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found" | eval ErrorType = case(PhpFatal="PHP Fatal error", PhpFatal,DrupalPHPFatal="Error: PHP FATAL Error" ,DrupalPHPFatal, AccessDenied="access denied" , AccessDenied ,1=1, PageNotFound ) | stats count by ErrorType
Try again ( I believe the case of access denied was the issue.)
HI Spiere
Try this search code with appendcols command
sourcetype=testing AccessDenied="Access Denied" OR PageNotFound="page not found" | eval ErrorType = if(AccessDenied=="access denied",AccessDenied,PageNotFound) | stats count by ErrorType | appendcols [ search sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" | eval ErrorType = if(PhpFatal=="PHP Fatal error",PhpFatal,DrupalPHPFatal) | stats count by ErrorType ]
Use the same formula provided by Iguinn, since they are all coming from same sourcetype
sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found" | eval ErrorType = case(PhpFatal="PHP Fatal error", PhpFatal,DrupalPHPFatal="Error: PHP FATAL Error" ,DrupalPHPFatal, AccessDenied="access denied" , AccessDenied ,1=1, PageNotFound ) | stats count by ErrorType
Try again ( I believe the case of access denied was the issue.)
Access denied does not seem to show up on the graph when using this query. Page not found comes up alright though
Could you tell me what the 1=1 does inside of the eval statement? I understand the rest of it except for that part.
New query you submitted works well. Thanks.