Querying by Common Fields

_source=BridgeServer2-Prod MetricsFilter | parse "\"status\":*," as status | where status >= 400 and status < 500 and status != 401

This query matches our 4XX alarm. All requests that had a 4XX error, except 401s (which are surprisingly common).

Groups the results by IP Address and orders them by most common IP Address.

Groups the results by User ID and orders them by most common User ID.

_source=BridgeServer2-Prod MetricsFilter | parse "\"user_id\":\"\"" as userId nodrop

This simple query parses the userId from our MetricsFilter. The nodrop means that if the line doesn’t have a userId, we still preserve the line in our results, but the parsed userId shows up as blank.

Graphs

_source=BridgeServer2-Prod MetricsFilter | parse "\"elapsedMillis\":*}" as latency | num(latency) | timeslice 1h | pct(latency,50,95,99) by _timeslice | order by _timeslice asc

Shows hourly latency, 50th percentile (median), 95th percentile, and 99th perceptile. Works best if you use the Line Chart option.

Advanced Queries

_source=BridgeServer2-Prod MetricsFilter reauth "\"status\":200" "\"user_agent\":\"Blood Pressure/88" | parse "\"remote_address\":\"\"" as ipAddress | where [subquery: _source=BridgeServer2-Prod MetricsFilter reauth "\"status\":404" "\"user_agent\":\"Blood Pressure/88" | parse "\"remote_address\":\"\"" as ipAddress | count ipAddress | compose ipAddress] | count ipAddress | order by _count desc

Get all MetricsFilter entries for reauth calls that succeeded that also had failing reauth calls in the same time frame.

Get all MetricsFilter entries for all requests affected by broken pipe errors.

Nested queries. Also works with where ![subquery: ...].