I was wondering if anyone might want to take a stab at this one. I have an ES|QL query I'm trying to get to work. Right now I'm able to get the field "http.status" to "not equal" a value of "200":
| eval failures = case(http.status != "200",1,0)
What I am struggling with is how to to get the field "http.status" to "not equal" a value from "200 to 299". Both of these I have tried and can't get to work:
from traces-apm-default
| where http.response.status_code is not null
| eval success = case(http.response.status_code >= 200 and http.response.status_code < 400, 1,0)
| keep @timestamp, http.response.status_code, success
If they are keyword you will need to convert to integer something like this
from traces-apm-default
| where labels.http_status_code is not null
| eval status_num = to_integer(labels.http_status_code)
| eval success = case(status_num >= 200 and status_num <= 400, 1,0)
| keep @timestamp, labels.http_status_code, success
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.