I have the following logs where the output can be from application or database or from third party source.
id=11111 req=getresult from app msg=from application status=200
id=2222 req=getresult from db msg=result from db status=200
id=3333 req=getresult from others msg=third party status=200
Using the above logs, I want to calculate the success rate from each source. Found eval
is the best option to use.
host=Test sourcetype="test*" source="test.log" "req=getresult*"
| rex "status=(?<http_status>\d{3})"
| eval success= case(match(msg,"from application"), "Application",
match(msg, "result from db"), "DB", 1=1, "Third party")
| where http_status=200 | stats count by success
But the result is not right. I get the count of all the events as Third party. What I'm missing here?
The automatic field extraction that you get from KV_MODE = auto
will extract values of from
or result
for msg
which is insufficient/incorrect. You should do your own field extractions but in the meantime you can do this:
host=Test sourcetype="test*" source="test.log" "req=getresult*"
| rex "status=(?<http_status>\d{3})"
| where http_status=200
| eval success= case(
match(_raw, "msg=from application"), "Application",
match(_raw, "msg=result from db"), "DB",
true(), "Third party")
| stats count BY success
Are you parsing 'msg' field properly?
host=Test sourcetype="test*" source="test.log" "req=getresult*"
| rex "status=(?<http_status>\d{3})"
| table msg, http_status
Is above code return below result?
from application 200
result from db 200
third party 200