I'm trying to wrap my head around assigning a variable to field values that have been consolidated by wildcard. The specific field is a url which contains unique values, but can be consolidated by wildcard:
/api/v1/data/dataInfo/5034542340/0031f24ea10c/867542388
/api/v1/data/dataInfo/6134191727/0031f24ea10c/1353781841
/api/v1/data/validate
Each of these has statusCode, timestamp, etc fields associated. I am needing to do a count of how many times /api/v1/data/dataInfo/* had a 404 response, and how many times /api/v1/data/validate had a 404 response, ideally in a timechart. Without consolidating to a wildcard, I have hundreds of results, because the hash that I'm consolidating via wildcard is unique.
I've tried the following, but it errors on "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '/api/v1/data/dataInfo/*)'." I take this to mean I can't use eval/if with a wildcard.
index=data_index environment=Production clientName="DataTool" statusCode=404
| eval dpInfo = if(url=/api/v1/data/dataInfo/*)
| eval validate = if(url=/api/v1/data/validate)
| timechart count
Any ideas would be very much appreciated!
Like this:
index=data_index environment=Production clientName="DataTool" statusCode=404
| timechart count(eval(match(url, "^/api/v1/data/dataInfo/"))) AS dpinvo
count(eval(match(url, "^/api/v1/data/validate$"))) AS validate
Is it *
or .*
or %
in the context of match
?
Good point; I should not have had the *
there at all (I modified my answer). I could have put in .*
but it would have been redundant for the need and waste effort for the RegEx parser.
To use wildcards in eval
, use the match
or like
function.
... | eval dpInfo = if (match(url,"/api/v1/data/dataInfo/.*") | ...
... | eval dpInfo = if (like(url, "/api/v1/data/dataInfo/%") | ...