Say I have the following 4 logs:
And I want to create the final output table as:
I want to count the distinct number of users that successfully and unsuccessfully signed-up and signed-in by product for a particular day. Additionally I want to exclude those sign-in results where api=10 or api=20.
I was thinking something along the lines of the following but it is giving me null results:
index=abc*
| bucket _time span=1d
| eval signup=if(search="sign-up","1","0")
| eval signin=if(search="sign-in","1","0")
| eval message=
case(signup=1 AND errorcode="success" ,"Successful sign-UP", sign-up=1 AND errorcode="fail" ,"Failed sign-UP",
signin=1 AND errorcode="success" ,"Successful sign-IN", sign-in=1 AND errorcode="user not found" ,"User not found sign-IN")
| chart dc(user) over product by message
| table product Successful sign-UP, Failed sign-UP, Successful sign-IN, Failed sign-IN
... View more