Context:
Each or transactions has its unique RequestId, and in Splunk search, we will have multiple rows with the same RequestId to describe all the activities of a given transaction.
Goal:
stack all error codes per endpoints so we can have a chart with the x-axis is endpoints and the y-axis are a count of errorCodes per endpoint
Here is my solution which I feel very close but still cannot get what I want 😞 Looking for your advice on either my solution or any other solutions. Thanks
Search query:
index=xyz sourcetype=tomcat_epf_app
[search index=xyz sourcetype=tomcat_epf_app "ERROR ControllerAdvice" OR "ERROR Reporter" | fields + RequestId | fields - _* | rename RequestId as search | format "" "" "OR" "" "OR" "" ]
| rex "ErrorCode\-(?<code>\d{3,3})\-"
| eval endpoints=case(searchmatch("/login"),"/login", searchmatch("/subscription"),"/subscription",searchmatch("/email"),"/email")
| table endpoints, RequestId, code | where isnotnull(code) OR isnotnull(endpoints) | sort str(RequestId)
Result:
... View more