my event records are xml based as shown below coming in from one file, one sourcetype-
I am able to extract child tags inside each one - thats not an issue.
But how do i count how many records were of type Transaction and how many were of type Error.
Try following
sourcetype=gatewaylogs1 | rex "^\<(?<eventType>[^\>]+)" | stats count by eventType
This should give your count of event for transaction/error.
Try following
sourcetype=gatewaylogs1 | rex "^\<(?<eventType>[^\>]+)" | stats count by eventType
This should give your count of event for transaction/error.
Try this
sourcetype=gatewaylogs1 "<transaction>" OR "<error>"
| eval type=case (match(_raw,"\<transaction\>", "Transaction", match(_raw,"\<error\>", "Error")
| stats count by type
if the transaction contains an XML error field, it will be counted only as a transaction, not as an error
Well, your search isn't filtering out anything, so it will certainly have all the events from gatewaylogs1. I have updated the search. But not sure yet if it will work.
Tried this
sourcetype=gatewaylogs1 | eval type=case ( match(_raw,"<error>"), "Error", match(_raw,"<transaction>"), "Transaction" ) | stats count by type
No errors...but no output..all it says 16 events..shows number of events..16 events (before 12/16/13 11:25:23.000 AM ) but no output in Statistics tab
And 16 is total events including events that has
how are you extracting fields? Using regular expression for each field or using spath?