I have two log queries from the same stream that both return the number of log messages that match the search criteria.
First I want to get the number of incoming blobs as follows:
namespace=ns cluster=we container=project1
| where %"log.@m" matches "*About to handle incoming blob*"
| count as Incoming
Then I have another log query to get the number of successfully handled blobs from the same stream. The only difference is in the "matches" clause:
namespace=ns cluster=we container=project1
| where %"log.@m" matches "*successfully handled blob*"
| count as Success
I'd like to calculate the ratio, i.e. Success / Incoming, but I can't find the right way to achieve that. I've tested subqueries, the metrics explorer and some other ideas that Google provided but with no success. Any pointers are welcome.
You can combine these two queries into one. You could do that by calculating whether the line matches your pattern and storing that information as a new field. Something like this (I haven't tested):
namespace=ns cluster=we container=project1
| %"log.@m" matches "*successfully handled blob*" as success
Or actually you would rather convert that to a numeric value (so it's easier to aggregate on):
namespace=ns cluster=we container=project1
| if (%"log.@m" matches "*successfully handled blob*", 1, 0) as success
and then with that you can aggregate:
...
| sum(success) as successCount, count as totalCount
| successCount / totalCount as successRatio
Disclaimer: I am currently employed by Sumo Logic