I have a chart to build which i can search for but did not manage to chart. The data comes in like this (shown below) and for how i distinguish these records, I use regex to pick out the fields as it comes into the index (containers).
e.g of how to identify a ATM transaction(txn), i need to key this into the search string.
$ index=BOTW sourcetype= "INCOMING MSG : [0110]" | regex_raw="(\[3\]\s+[(00|5\d|98|96)\d\d\d\d\]\s+\[20\]\s+\[6\])"
Now i am suppose to build a complex chart but it seems insurmountable. The total transactions, successful transactions and specific transactions are to be in 1 chart. and the only way to distinguish them is via regular expression as the input comes to me as coded numbers.
How can i build this chart? or do you think it is not possible?
P.S I have ever thought of putting them up separately, but e.g total txn as 1 chart, successful txn as 1 and specific txn. but the POS, ECOM and ATM is also an issue. They are identified individually which is not difficult but when it comes to putting them together in a chart, it seem to come to a standstill. I'm at my wits end!
You might have some success by using eval
to create "proxy" fields for your original data. I've used this technique in the past similar to this:
my_search
| eval field1=if(match(_raw,"ABC"),1,0)
| eval field2=if(match(some_other_field,"XYZ"),1,0)
| chart sum(field1) as ABC_COUNT, sum (field2) as XYZ_in_some_other_field_count
Basically, you would eval
a field to a "0" or a "1" for each of your 9 possible values above. Then when you sum()
the value of these new fields, you have a count of events that matched each criteria.