I have some logs from another system to which I need to run a query as follows and I can't modify the way the other system is logging.
index=some-index event=RequestLogging foo OR bar
| eval errorCount=if(searchmatch("NOT (((foo LABEL1 LABEL2) OR (bar LABEL3 LABEL4)) LABEL5 LABEL6)"), 1, 0)
| stats count as total sum(errorCount) as error
| eval rate=error/total*100
I have logs that has either foo or bar:
For foo I am expecting LABEL1, LABEL2 to be present along with LABEL5 and LABEL6.
For bar I am expecting LABEL3, LABEL4 to be present along with LABEL5 and LABEL6.
LABEL5 and LABEL6 are common to both foo and bar
For example for foo, in the logs I expect it as:
event=RequestLogging foo LABEL1=[value=xyz description=desc1 metadata=[]] LABEL2=[value=abc description=desc2 metadata=[]] LABEL5=[value=def description=desc3 metadata=[]] LABEL6=[value=ghi description= metadata=[]]
My query runs fine and returns error if any of the labels are missing.
An additional req is to ensure that the value field in the label shouldn't be blank.
Example: LABEL5=[value= description= metadata=[]]
The other system logs the value as empty whereas I expect it to have something like:
LABEL5=[value=123 description= metadata=[]]
When I attempted something like this, it didn't work:
"*LABEL5=[value= description*"
index=some-index event=RequestLogging foo OR bar
| eval errorCount=if(searchmatch("NOT (((foo LABEL1 LABEL2) OR (bar LABEL3 LABEL4)) "*LABEL5=[value= description*" LABEL6)"), 1, 0)
| stats count as total sum(errorCount) as error
| eval rate=error/total*100
How can I update my query to check if value is blank?
If I run it like this then it worked, at least, displaying those logs that have LABEL5's value as blank.
index=some-index event=RequestLogging foo or bar "*LABEL5=[value= description*"