I am trying to compare the count based on ServiceMethod [field], but when there are no results found, that particular count for ServiceMethod value needs to be displayed as "0".
I tried many ways but no luck.
index=_internal source="/demo/demo.log" RequestWebService ServiceMethod | stats count as RequestCount by ServiceMethod | appendcols [ search index=_internal source="/demo/demo.log" RequestFromPage ResponseWebService ServiceMethod| stats count as ResponseCount by ServiceMethod ]
Try this
index=_internal source="/demo/demo.log" ServiceMethod (RequestWebService OR (RequestFromPage ResponseWebService))
| eval requests = if(searchmatch("RequestWebService"), 1, 0)
| stats sum(requests) as RequestCount count as ResponseCount by ServiceMethod
| eval ResponseCount = ResponseCount - RequestCount
| inputlookup append=t service_methods
| stats max(*Count) as *Count by ServiceMethod
where service_methods
is a lookup containing a list of all service methods with zeroed RequestCount
and ResponseCount
.
Side note, why is that indexed in _internal
?
Try this
index=_internal source="/demo/demo.log" ServiceMethod (RequestWebService OR (RequestFromPage ResponseWebService))
| eval requests = if(searchmatch("RequestWebService"), 1, 0)
| stats sum(requests) as RequestCount count as ResponseCount by ServiceMethod
| eval ResponseCount = ResponseCount - RequestCount
| inputlookup append=t service_methods
| stats max(*Count) as *Count by ServiceMethod
where service_methods
is a lookup containing a list of all service methods with zeroed RequestCount
and ResponseCount
.
Side note, why is that indexed in _internal
?
Thanks Martin.
I just wanted to hide few details that's why