My search result is like this :
result 1
. message hello test helo test
result 2
. message hello test helo test
result3
. message hello test helo test
count or group by message1, message 2
First, you can't create a variable with a name that starts with underscore (_).
Here is a way to group them and report; this answer includes some of the ideas in the comments as well.
index=index1 "message hello1" OR "message hello2" plus whatever else belongs in your search
| rex "message\s(?<message>.{1,20})"
| eval message=case (isnull(message),"No message",
match(_raw,"hello1") OR user="admin","Msg 3",
match(_raw,"hello2"),"Msg 2",
match(_raw,"hello1"),"Msg 1" )
| stats count by message
First, the rex command looks at the raw text for the word "message" followed by a space, and then collects the following 20 characters (or less if there aren't 20 characters remaining on the line).
Next, the eval command checks for a number of conditions: is the message field null (meaning that there was no match in the rex command), does it match one of several patterns? Notice that the tests are executed in order, and the first true condition determines the new value of message. If none of the conditions are true, the value of message is unchanged. This gives you the ability to further categorize the data if you wish. If not, you can leave out the entire eval command.
Finally, the stats command counts the number of occurrences of each message.
@jw44250 - did you ever get a solution to this one?
Yes..thanks from everyone...sorry been busy with work..
This question is extremely vague and not well-formed. It's not possible to give you code to solve your issue if the structure of the data isn't understood accurately.
1) Is there a field that is the one that contains the word message, or are we checking the _raw event data?
2) If the details of the message location can vary widely, please explain in English how exactly YOU (as a human) would determine that two messages inside the _raw data were exactly the same? What would you use as the boundaries of the "message" part of the _raw data?
3) If the value of the whole message is to be extracted from _raw data, then please show us two entire messages -- different but similar -- with all the timestamps and other field markers present. You can obfuscate the data as needed -- replace the hostnames with "myhost", usernames with "myusername" etc. Once we see this, we can code you a regular expression to pull out the message data.
As a general case, I'm assuming that we are aiming for something like this -
index=myindex [your original search] | search "message"
| rex field=_raw "some regular expression that pulls out (?<TheMessage>.*) and leaves out stuff that isn't the message..."
| stats count by TheMessage
assuming in your results "result_field" starts with word message and ends with last word of the message. I have assumed that your result field can start with
message ...
message= ...
message = ... etc
Blockquote
your search ... | rex field=result_field "message\s*\=*\s*(?<Msg>.*)$" | stats count by Msg
Blockquote
where you are getting this data "field=result_field" ... it will not work since i dont have any field or unique anything...its just a stamement like "This message from john"
The message can appear any place ...these statements comes from logs files
Suppose you have statements like:
Result 1
"This message from john."
Result 2
"Message sorry boss not wrong data"
Result
"Pls correct your message before going forward"
Result 4
"This message from john."
Result 5
"Message sorry boss not wrong data"
Result 5
"Pls correct your message before going forward"
Group Message A => 1 and 4 = "This message from john"
Group Message B => 2 & 5 " = "Message sorry boss not data"
Group Message C = 3 & 6 result "pls correct your message before going forward"
First, you can't create a variable with a name that starts with underscore (_).
Here is a way to group them and report; this answer includes some of the ideas in the comments as well.
index=index1 "message hello1" OR "message hello2" plus whatever else belongs in your search
| rex "message\s(?<message>.{1,20})"
| eval message=case (isnull(message),"No message",
match(_raw,"hello1") OR user="admin","Msg 3",
match(_raw,"hello2"),"Msg 2",
match(_raw,"hello1"),"Msg 1" )
| stats count by message
First, the rex command looks at the raw text for the word "message" followed by a space, and then collects the following 20 characters (or less if there aren't 20 characters remaining on the line).
Next, the eval command checks for a number of conditions: is the message field null (meaning that there was no match in the rex command), does it match one of several patterns? Notice that the tests are executed in order, and the first true condition determines the new value of message. If none of the conditions are true, the value of message is unchanged. This gives you the ability to further categorize the data if you wish. If not, you can leave out the entire eval command.
Finally, the stats command counts the number of occurrences of each message.
there is no unique field ,
Is the message field already extracted? If not, share some sample result so that we can suggest a regex for it to extract. After the fields extraction, you could simply use ...| stats count by message
type of commands.
index= index1 "message"
message can appear anywhere, start of paraph, midd, end,etc
Query Result
"message hello1"
message=" message hello2";
message="message hello1"
message="hello message test"
message="mikale"
actually needed to group them
"message hello1"
message=" message hello2";
message="hello message test"
message="mikale"
there is not unique field.. i want make new field and
do something like
_row="subtring(message) 0-20 characters as meesage
@jw44250 - It would be helpful if you were to provide the search you're already using. Also, the more information you provide in your post, the greater chance of it being answered with a working solution.