I am trying to create a view of various kinds of errors over time, to display as stacked bar chart or stacked area. Each kind of error can be identified by matching a string (e.g., "No endpoint listening", "timed out", "User not found"), but these strings could be anywhere within the message. I want something like this non-working pseudocode:
_sourceCategory = XXX AND error
| (message contains "No endpoint listening" ? "NoEndpointError" : null) as ErrorType
| (message contains "timed out" ? "TimeoutError " : null) as ErrorType
....
| timeslice 10m
| count by ErrorType, _timeslice
How can I get a collation like this?
Something like this should do
_sourceCategory=XX error
| if (_raw matches "*Got error while*", "Error1",
if (_raw matches "*TimeoutException*", "Error2",
if (_raw matches "*AvroRuntimeException*", "Error3", "Error4")
)) as ErrorCode
| timeslice 10m
| count by ErrorCode, _timeslice
| transpose row _timeslice column ErrorCode