How to use rex command to extract two fields and chart the count for both in one search query?

问题

I have a log statement like 2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{"message":{"TransactionStatus":true,"TransactioName":"removeLockedUser-1498029828160"}} . How can i extract TransactionName and TranscationStatus and print in table form TransactionName and its count.

I tried below query but didn't get any success. It is always giving me 0.

sourcetype=10.240.204.69 "TransactionStatus" | rex field=_raw ".TransactionStatus (?.)" |stats count((status=true)) as success_count

回答1:

Solved it with this :

| makeresults | eval _raw="2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{\"message\":{\"TransactionStatus\":true,\"TransactioName\":\"removeLockedUser-1498029828160\"}}" | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | rex "{\"TransactionStatus\":(?[^,]),\"TransactioName\":\"(?[^\"])\"" | chart count OVER TransactioName BY TransactionStatus

来源：https://stackoverflow.com/questions/44673791/how-to-use-rex-command-to-extract-two-fields-and-chart-the-count-for-both-in-one

标签

splunk

splunk-query

Rex

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!