Hi,
My log snippet is shown below:
[2012-09-01 11:02:27:405 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to agaur12@hotmail.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 08:12:16.0)
[2012-09-01 11:02:32:544 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to testmyyyynp@test.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 03:29:42.0)
[2012-09-02 11:02:37:679 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to auuuu@abcd.com (firstName: jaber, lastName: kapo, language: eng, expiryDate: 2012-09-02 10:50:46.0)
[2012-09-03 11:02:42:806 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to test_123iopm@test.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 21:39:43.0)
[2012-09-03 11:02:27:405 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to ggg@test.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 08:12:16.0)
[2012-09-03 11:02:22:400 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to nfmd@yahoo.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 08:12:16.0)
[2012-09-05 11:02:32:544 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to testmnp@test.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 03:29:42.0)
[2012-09-05 11:02:37:679 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to nnjj@abc.com (firstName: jack, lastName: dorson, language: eng, expiryDate: 2012-09-02 10:50:46.0)
Query should return data on how many emails were sent on a particular day i.e. if I want to know how many emails were sent on 2012-09-04, it should return 0 records.
Query should print the data in below format mentioning the number of emails sent for all the days in the log:
Date No of Emails Sent
2012-09-01 2
2012-09-02 1
2012-09-03 3
2012-09-04 0
2012-09-05 2
I'll appreciate if some one can provide answers to the above 2 questions.
Thanks in Advance!!
UPDATE: The log has other entries as well. I've provided only snippet.
So for the first one, you simply need to do:
sourcetype=FOO | stats count
and restrict the time range to a single day.
For the second, you can use:
sourcetype=FOO | timechart span=1d count
Which will make sure you get the zero values on days with no events. You can rename columns using
count as "No of emails"
or something similar.
then you would need to filter down to just the 'email sent to' events before the pipe to stats/timechart using something like:
sourcetype=FOO "email sent to" | ...
The log does not have just "email sent to" lines....it has all other info as well which I've not printed here
perhaps you can look at the timechart
search command.