Hi Ninjas
I struggle with query including several "challenges".
I got proxy events like:
time="10-27-17 10:00:00" url="www.applepiesamurai.org/get_more_apple_pie" user="arnold.schwarzenegger" response_size=5000000 domain="applepiesamurai.org" url_cat="1,5"
time="10-27-17 10:02:00" url="www.applepiesamurai.org/get_more_apple_pie" user="arnold.schwarzenegger" response_size=7000000 domain="applepiesamurai.org" url_cat="1,5"
Now i have a csv lookup look like the following:
url_cat,category_name
1,"Business"
5,"Cooking"
What now wanted to create is a sum of the response_size by domain, day, user and then list the proxy category_name(s) by each domain:
Day| user| domain| response_size| category_name
10-27-17|arnold.schwarzenegger|applepiesamurai.org|12000000|Business Cooking
Turned out that this isn't quite as easy as i thought.
As url_cat can consist of multiple values i created a new field called "cat" as a multivalue field using transforms "MV_ADD=true".
In the search, I use mv_expand on cat to do the lookup and get all the category_name's by each event. But using that, the sum of the response size is misscalculated as mv_expand creates x-times events as it has different cat values and therefore multiplies the sum x-times in my stats sum command.
After wasting hours with appends and evals I had to pause before I smashed my keyboard.
Any ideas ond how i get the correct calculation but showing all the category_names?
↧