Hi, I am working on a query where I have to match the responseCode from search to the responseCode in a lookup i created. That lookup contains the responseCode and it's description.
Now there are few cases where the responseCode in search does not matches to anything in the lookup table. I want the count of all responseCodes. If it matches in the lookup then with it's description and if it doesnt matches then description would be null but I want the count.
My current search is not giving the count of the unmatched responseCode -
index="test" sourcetype="test_log"
| dedup time,host,source,_raw
| lookup Response_Codes_Desc ResponseCode
| stats count by ResponseCode Description
| sort - count
Please could someone help on this?
↧