Sumo Logic 随着时间的推移计算各种错误
Sumo Logic count various errors over time
我正在尝试创建随时间变化的各种错误的视图,以显示为堆叠条形图或堆叠区域。每种错误都可以通过匹配字符串来识别(例如,“没有端点侦听”、“超时”、“找不到用户”),但这些字符串可以在消息中的任何位置。我想要这样的非工作伪代码:
_sourceCategory = XXX AND error
| (message contains "No endpoint listening" ? "NoEndpointError" : null) as ErrorType
| (message contains "timed out" ? "TimeoutError " : null) as ErrorType
....
| timeslice 10m
| count by ErrorType, _timeslice
如何获得这样的排序规则?
应该这样做
_sourceCategory=XX error
| if (_raw matches "*Got error while*", "Error1",
if (_raw matches "*TimeoutException*", "Error2",
if (_raw matches "*AvroRuntimeException*", "Error3", "Error4")
)) as ErrorCode
| timeslice 10m
| count by ErrorCode, _timeslice
| transpose row _timeslice column ErrorCode
我正在尝试创建随时间变化的各种错误的视图,以显示为堆叠条形图或堆叠区域。每种错误都可以通过匹配字符串来识别(例如,“没有端点侦听”、“超时”、“找不到用户”),但这些字符串可以在消息中的任何位置。我想要这样的非工作伪代码:
_sourceCategory = XXX AND error
| (message contains "No endpoint listening" ? "NoEndpointError" : null) as ErrorType
| (message contains "timed out" ? "TimeoutError " : null) as ErrorType
....
| timeslice 10m
| count by ErrorType, _timeslice
如何获得这样的排序规则?
应该这样做
_sourceCategory=XX error
| if (_raw matches "*Got error while*", "Error1",
if (_raw matches "*TimeoutException*", "Error2",
if (_raw matches "*AvroRuntimeException*", "Error3", "Error4")
)) as ErrorCode
| timeslice 10m
| count by ErrorCode, _timeslice
| transpose row _timeslice column ErrorCode