@gcusello , thank you!
Here is the search code:
index=pcf_* cf_org_name="Network Software Development and Automation" cf_space_name="Development" cf_app_name=*privatecloud-dev* msg=*VALUES* *user_logs*
| rex field=msg "VALUES (?<valuees>.*)"
| eval fields=split(valuees,"'") | eval user=mvindex(fields,0)
| eval user=mvindex(fields,1)
| eval method=mvindex(fields,3)
| eval page=mvindex(fields,5)
| eval params=mvindex(fields,7)
| eval datetime =mvindex(fields,9)
| eval created_at=mvindex(fields,11)
| eval updated_at=mvindex(fields,13)
| stats count by datetime user method page params
I'm pulling the data from within the field called 'msg' (example below). I extract it to new fields so we can search and sort by that data.
Particulary this data:
user_logs ( user , method , page , params , datetime , created_at , updated_at )
Here is an example of 'msg':
[1m[36mUserLog Create (27.8ms)[0m [1m[32mINSERT INTO `user_logs` (`user`, `method`, `page`, `params`, `datetime`, `created_at`, `updated_at`) VALUES ('Opredelennov, Eugene', 'destroy', 'deployments', '{\"id\"=>132, \"apic_id\"=>1, \"decommission_standard_change_id\"=>\"CRQ000001518730\", \"decommission_standard_change_url\"=>\"https://remedy-test.lmig.com/arsys/shared/Ticket.jsp?ID=CRQ000001518730\", \"decommissioner_id\"=>2, \"name\"=>\"10G-VPC-test-vlan2508\", \"description\"=>\"10G-VPC-test-vlan2508\", \"provision_standard_change_id\"=>\"CRQ000001517986\", \"provision_standard_change_url\"=>\"https://remedy-test.lmig.com/arsys/shared/Ticket.jsp?ID=CRQ000001517986\", \"status\"=>\"Decommissioned\", \"user_id\"=>4, \"user_group_id\"=>nil}', '2020-03-16 14:50:42', '2020-03-16 14:50:42', '2020-03-16 14:50:42')
Thanks again.
... View more