I have a log statement like 2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{"message":{"TransactionStatus":true,"TransactioName":"removeLockedUser-1498029828160"}} .
How can i extract TransactionName and TranscationStatus and print in table form TransactionName and its count
Like this:
| makeresults
| eval _raw="2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{\"message\":{\"TransactionStatus\":true,\"TransactioName\":\"removeLockedUser-1498029828160\"}}"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex "{\"TransactionStatus\":(?<TransactionStatus>[^,]*),\"TransactioName\":\"(?<TransactioName>[^\"]*)\""
| chart count OVER TransactioName BY TransactionStatus
SPECIAL NOTE: Are you sure there is not a missing n
in your given text for TransactioName
(this may have to be adjusted)?
Like this:
| makeresults
| eval _raw="2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{\"message\":{\"TransactionStatus\":true,\"TransactioName\":\"removeLockedUser-1498029828160\"}}"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex "{\"TransactionStatus\":(?<TransactionStatus>[^,]*),\"TransactioName\":\"(?<TransactioName>[^\"]*)\""
| chart count OVER TransactioName BY TransactionStatus
SPECIAL NOTE: Are you sure there is not a missing n
in your given text for TransactioName
(this may have to be adjusted)?
Thanks Mr. Woodcock. This saved me a lot of time.
@woodcock
btw: Your syntax for "COMMENT" is not wrong, but there is a new one (since 6.5) you might find interesting.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Search/Addcommentstosearches
I like mine better. When the create a genuine comment
command, not a macro
, then I will switch.
hi anuarora
you could use this regex to extract your two fields:
\{\"TransactionStatus\"\:(?<TransactionStatus>[^,]*),\"TransactioName\"\:\"(?<TransactioName>[^\"]*)\"
you can put it in Field extraction or in rex command
| rex "\{\"TransactionStatus\"\:(?<TransactionStatus>[^,]*),\"TransactioName\"\:\"(?<TransactioName>[^\"]*)\""
Test it at https://regex101.com/r/8Ff4ji/1
Bye.
Giuseppe
I tried below query but didn't get any success. It is always giving me 0.
sourcetype=10.240.204.69 "TransactionStatus" | rex field=_raw ".TransactionStatus (?.)" |stats count((status=true)) as success_count