Forum Discussion
Specific query - question
Hi, I need assistance please.
Given the following query:
F5_CL
| where TimeGenerated >= ago(3m) //change to required time
| extend RawData=split(RawData, '##') //split all raw data to specific values
| extend remote_address = tostring(RawData[1]) // take external remote address
| extend URL_Path = trim(@'\?(.*)',trim(@'([^\s]+)',tostring(RawData[5])))
|extend responseStatus = tostring(RawData[3])
| summarize count() by URL_Path,remote_address
| where responseStatus != "403" and responseStatus != "404" and responseStatus != "503" and count_ > 150 and remote_address != ""
The problem is that responseStatus is not recognized in "where" line since it's not summarize. I don't want it to be summarize since it will split all values of responseStatus.
Anybody has idea how and responseStatus != "503" will be valid in "where" line?
I hope the question is clear, Thanks.
- CliveWatson
Microsoft
Can you move this line BEFORE the summarize
| where responseStatus != "403" and responseStatus != "404" and responseStatus != "503" and remote_address != ""
then have this line afterwards the summarize?>
| where count_ > 150CliveWatson
Wow!
It works, Thanks!!
