I am looking to create a table for distinct errors we have. Unfortunately I had this working at one point and am unable to recreate it and didn't save it. I have the following string, "Error - (Some text explaining the error)". I was doing the following to pull the variable for the error string: rex field=_raw "Error - \|(?<ErrorString>\d+)"
I am looking to create a table with the server, distinct error string, count of total occurrences of the error on the specified server. Currently when I try to add my ErrorString field, I get the number of events from my search but each field is blank.
From your description it sounds like you might be after a search like:
...|rex field=_raw "Error - \|(?<ErrorString>\d+)" | stats count by host ErrorString
From your description it sounds like you might be after a search like:
...|rex field=_raw "Error - \|(?<ErrorString>\d+)" | stats count by host ErrorString
My error string is multiple words, is there a way to specify the rex to go a certain length and not stop at the first word?
If you wanted up to 30 characters, you could go
|rex field=_raw "Error - \|(?<ErrorString>.{1,30})"
Given the data, I don't see the reason for the escaped pipe \|
in your rex. try deleting that and seeing if the rex works again.
maybe this:
your search | rex field=_raw "Error - |(?\d+)"
| stats count as error_count dc(ErrorString) as ErrString by server