我试图创建各种错误的视图随着时间的推移,显示为堆叠条形图或堆叠区域。每种类型的错误都可以通过匹配字符串来识别(例如,"没有端点监听"、"超时"、"用户未找到"),但是这些字符串可以在消息中的任何位置。我想要一些像这样的无效伪代码:
_sourceCategory = XXX AND error
| (message contains "No endpoint listening" ? "NoEndpointError" : null) as ErrorType
| (message contains "timed out" ? "TimeoutError " : null) as ErrorType
....
| timeslice 10m
| count by ErrorType, _timeslice
我怎样才能得到这样的排序?
应该是这样的
_sourceCategory=XX error
| if (_raw matches "*Got error while*", "Error1",
if (_raw matches "*TimeoutException*", "Error2",
if (_raw matches "*AvroRuntimeException*", "Error3", "Error4")
)) as ErrorCode
| timeslice 10m
| count by ErrorCode, _timeslice
| transpose row _timeslice column ErrorCode