The following query is not working for me:
message.meta.service=foo
| stats
count(eval(message.meta.route="/foobar/publish")) as publishes
It always results in publishes
being 0
, when it should be greater than 0 (e.g., 55).
Doing a query of just:
message.meta.route="/foobar/publish"
returns multiple events (e.g., 55), but wh
Try this:
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo AND message.meta.service=foo
| stats count(eval('message.meta.route'="/foobar/publish")) AS publishes
You must encapsulate the field name in single-quotes because it contains periods.
Working with rbednark
we discovered that renaming the variable allowed the eval and count to work as expected.
Can't use .
in an eval comparison I guess?
message.meta.service=foo
| rename message.meta.route as route
| stats
count(eval(route="/foobar/publish")) as publishes
Try this (fields with special characters in its name should be enclosed in single quotes when used in expressions of eval/where)
message.meta.service=foo
| stats
count(eval('message.meta.route'="/foobar/publish")) as publishes
Renaming the variable allowed it to work.
message.meta.service=foo
| rename message.meta.route as route
| stats
count(eval(route="/foobar/publish")) as publishes