I'm trying to wrap my head around assigning a variable to field values that have been consolidated by wildcard. The specific field is a url which contains unique values, but can be consolidated by wildcard:
/api/v1/data/dataInfo/5034542340/0031f24ea10c/867542388
/api/v1/data/dataInfo/6134191727/0031f24ea10c/1353781841
/api/v1/data/validate
Each of these has statusCode, timestamp, etc fields associated. I am needing to do a count of how many times /api/v1/data/dataInfo/* had a 404 response, and how many times /api/v1/data/validate had a 404 response, ideally in a timechart. Without consolidating to a wildcard, I have hundreds of results, because the hash that I'm consolidating via wildcard is unique.
I've tried the following, but it errors on "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '/api/v1/data/dataInfo/*)'." I take this to mean I can't use eval/if with a wildcard.
index=data_index environment=Production clientName="DataTool" statusCode=404
| eval dpInfo = if(url=/api/v1/data/dataInfo/*)
| eval validate = if(url=/api/v1/data/validate)
| timechart count
Any ideas would be very much appreciated!
... View more