How can I construct a sumologic query which would returns the below log items in an aggregated table which group ths uri, status_code and number of requests. For example: uri = /healthcheck, status_code = 200 and requests = 1.
<27>Sep 12 11:03:26 my-app/0.0.0/75a2b6b67d68[2908]: [Wed Sep 12 11:03:26 2018] 00.00.00.00:00000 [200]: /healthcheck
I'm specifiably unsure how to parse such a log, I tried this but it did not work:
_source="syslog-collector-tcp" "my-app"
| parse "[*] : *" as request
You probably need to use regex for this. It would look something like:
| parse regex "\[(?<status_code>[0-9]{3})\]: \/(?<uri>.*)$"
| count by status_code, uri
This will remove log lines that don't meet the criteria for the regex. If you want to keep the other lines, you'll need to add nodrop:
| parse regex "\[(?<status_code>[0-9]{3})\]: \/(?<uri>.*)$" nodrop
| count by status_code, uri
This is just an example - the exact regex for your logs may be slightly different depending on how they're formatted, but this was what I came up with for your example above.
Hope this helps!