I've read as many examples as I can and I still can't figure out how to get this to work. We are using 6.6.2.
I am trying to gather stats on endpoint calls grouped by endpoint and client. There may be 2 or 3 endpoint values (ul-operation) and there are 43 variations of client values (user_agent), but they all start with 2 common prefixes that I can use for grouping. However, each variation of case statement I try always falls to the third bucket. I can't see which approach to use and why each one fails.
1) eval+case+like
sourcetype="bimlocs" source=blue@bimlocs-p-ue1 "line.ul-log-data.http_request_headers.user-agent" IN ("okhttp*","Khufu*") "line.ul-log-data.http_response_code" != "4*" "line.ul-log-data.http_response_code" != "5*" | eval "user_agent"=case(like("line.ul-log-data.http_request_headers.user-agent","okhttp%"), "ANDROID", like("line.ul-log-data.http_request_headers.user-agent","Khufu%"), "IOS",1==1,"OTHER") | chart count by "line.ul-operation", "user_agent"
2) eval+case+match
sourcetype="bimlocs" source=blue@bimlocs-p-ue1 "line.ul-log-data.http_request_headers.user-agent" IN ("okhttp*","Khufu*") "line.ul-log-data.http_response_code" != "4*" "line.ul-log-data.http_response_code" != "5*" | eval "user_agent"=case(match("line.ul-log-data.http_request_headers.user-agent","^okhttp.*"), "ANDROID", match("line.ul-log-data.http_request_headers.user-agent","^Khufu.*"), "IOS",1==1,"OTHER") | chart count by "line.ul-operation", "user_agent"
3) eval+case+==
sourcetype="bimlocs" source=blue@bimlocs-p-ue1 "line.ul-log-data.http_request_headers.user-agent" IN ("okhttp*","Khufu*") "line.ul-log-data.http_response_code" != "4*" "line.ul-log-data.http_response_code" != "5*" | eval "user_agent"=case("line.ul-log-data.http_request_headers.user-agent"=="okhttp*", "ANDROID", "line.ul-log-data.http_request_headers.user-agent"=="Khufu*", "IOS",1==1,"OTHER") | chart count by "line.ul-operation", "user_agent"
I'm guessing the third case doesn't treat the * as a wildcard.
However, all the above combinations appear to work as long as they are not within eval/case.
Am I doing something wrong?
Thanks,
Dave
... View more