I've got a long csv and extracted the fields. Now in one field, there's more than one information.
Depending on how many recipients a message is for, the more recipients are logged. Format like:
...|{}|{"...","..","recipient0":"01234567","recipient1":"09877543","recipient2":"151617189",....,"recipient8":"41790042325","IP":1.1.1.1","..."}|{}|...|
...|{}|{"...","..","recipient0":"05974567","recipient1":"09877543","recipient2":"151617199","IP":1.1.1.1","..."}|{}|...|
So "recipient0" is always, there are at max 10 recipients (0-9). I'd like to have a timechart on how many recipients a message got, so I'm searching for a command to find the "highest" recipient.
I hope my question is understandable and you can help me, many thanks.
Hi,
you can try it with something like this:
... | rex max_match=0 "recipient(?<counter>\d)" | eval max_result = max('counter') + 1
The rex command extracts the number of the recipient fields in a multi value field. Then you use max to get the maximum. Because the fields are numbered from 0 to 9, you might want to add a "+ 1" to the eval command for the correct count.
Hi,
you can try it with something like this:
... | rex max_match=0 "recipient(?<counter>\d)" | eval max_result = max('counter') + 1
The rex command extracts the number of the recipient fields in a multi value field. Then you use max to get the maximum. Because the fields are numbered from 0 to 9, you might want to add a "+ 1" to the eval command for the correct count.
Thank you, it helped me.
I don't manage how I can search only in one field. The recipient0 etc. occurs also in other fields in the log, so I'd have to adapt the regex or try it with a subsearch.
And would it be good to change the regex so it does only match 1 diggit after "recipient" ? Or does it only "operate" with numbers, since we calculate with it afterwards?
Yeah, so you can use a rex command to first to make a field that contains only the recipient of interest. For example a regex that extracts
{"...","..","recipient0":"01234567","recipient1":"09877543","recipient2":"151617189",....,"recipient8":"41790042325","IP":1.1.1.1","..."}
out of
...|{ other log data with recipients in it}|{"...","..","recipient0":"01234567","recipient1":"09877543","recipient2":"151617189",....,"recipient8":"41790042325","IP":1.1.1.1","..."}|{ more log data with recipients in it}|...|
and then use the rex from my first anwer only on this field.
"would it be good to change the regex so it does only match 1 diggit after "recipient" -> It already does only match one digit after recipients, since i only used \d and not \d+ or \d*, where \d stands for a single digit.