Hi,
If Accepted
and Rejected
are extracted into a field, e.g. zzz_status
or something similar, the following search might do the trick.
UPDATED AGAIN AGAIN: If you just want to count the occurence of success/fail, and the events within the log contain the string mentioned in your comment ( <ns:emailaccepted blah>
or <ns:emailrejected blah blah>
), the search could be altered into;
sourcetype="zzz" | rex field=_raw "<ns:email(?<zzz_status>[^ ]+)| stats count(eval(zzz_status=="accepted")) AS Success count(eval(zzz_status=="rejected")) AS Fail | eval SuccessRatio=Success/Fail | table Success, Fail, SuccessToFailRatio
The rex
statement above will find whatever is between "<ns:email
" and the first blank space (" "), and call it zzz_status
. Beware though that this would also match on <ns:email-server
, <ns:emailaccount
, <ns:emailAddress
etc etc, so you might want to watch your step there...
hth,
Kristian
Hi,
If Accepted
and Rejected
are extracted into a field, e.g. zzz_status
or something similar, the following search might do the trick.
UPDATED AGAIN AGAIN: If you just want to count the occurence of success/fail, and the events within the log contain the string mentioned in your comment ( <ns:emailaccepted blah>
or <ns:emailrejected blah blah>
), the search could be altered into;
sourcetype="zzz" | rex field=_raw "<ns:email(?<zzz_status>[^ ]+)| stats count(eval(zzz_status=="accepted")) AS Success count(eval(zzz_status=="rejected")) AS Fail | eval SuccessRatio=Success/Fail | table Success, Fail, SuccessToFailRatio
The rex
statement above will find whatever is between "<ns:email
" and the first blank space (" "), and call it zzz_status
. Beware though that this would also match on <ns:email-server
, <ns:emailaccount
, <ns:emailAddress
etc etc, so you might want to watch your step there...
hth,
Kristian
you can use the xmlkv command to extract those key pairs.
text
ns:Response
ns:RID1234/ns:RID
ns:RQIDD201109191/ns:RQID
same way
text
ns:Response
ns:RID1234/ns:RID
ns:RQIDD201109191/ns:RQID
the logging happens where the actual payload starting with <ns:EmailAccepted but that is enclosed under TEXT
success scenarios have EmailAccepted
Could you submit a sample event or two. I believe that rex is the answer to your question.
Thanks Kristian.
But now i am stuck with one other problem, when i said Accepted (it is a part of XML tag), can you help how to extract XML tag name
Like my xml's having tags *Accepted are success scenario logs [eg:
so i need to count all events with EmailAccepted in XML's
and then take a ratio
sorry i meant ratio of SuccessCases/FailureCases
"rqtion" ?