I have multiple error messages in the logs and I do count by ErrorMessage. The error messages gets listed as below.
ErrorMessage Count
Execute Hedging Failed 427
Execute Risk Failed 727
Unable to create parallel trade for trade ID 12345 400
Unable to create parallel trade for trade ID 23456 326
In the table above error message 1 and 2 are valid but the 3rd and 4th are the same except for the trade ID difference. I want to tweak my query in such a way that 3 and 4 are joined together and I get Unable to create parallel trade 726 (400+326).
My current query: index=XYZ sourcetype="Apache Log" Error | Stats count by PT_ErrMsg. PT_ErrMsg is field extract created for getting error message.
quick and dirty:
index=XYZ sourcetype="Apache Log" Error | eval ErrorMsg = if(like(PT_ErrMsg,"Unable to create parallel trade for trade ID%"),"Unable to create parallel trade for trade ID",PT_ErrMsg) | Stats count by PT_ErrMsg
quick and dirty:
index=XYZ sourcetype="Apache Log" Error | eval ErrorMsg = if(like(PT_ErrMsg,"Unable to create parallel trade for trade ID%"),"Unable to create parallel trade for trade ID",PT_ErrMsg) | Stats count by PT_ErrMsg
Thanks it is working. What I should do if I want to do this for multiple error messages along with the one i mentioned above. For example
Failed to create trade for ID 1234 124 Failed to create for ID 3214 470
Yep in this case the answer of richgalloway is the more accurate. As I said. It only was quick and dirty.
That's where the case statement in my answer is useful. Just add an entry to it for each message.
You'll need to convert similar error messages into a common form. Try this:
index=XYZ sourcetype="Apache Log" Error | eval PT_ErrMsg=case(match(PT_ErrMsg,"Unable to create parallel trade for trade ID.*"),"Unable to create parallel trade for trade ID" , 1=1, PT_ErrMsg) | Stats count by PT_ErrMsg
Hi Richgalloway, this is not working even for the message you have provided. It is listing all the unable to create trade.
I used the wrong wildcard in the match
command. The edited answer should work. Or you can use like
as in PPape's answer.