Hi Team,
I have a query that output below.
loggerName="test" DC=Test ENV=IT AppName=Test2 HostPort=9443 ClientIP=17.XXX.XX.XXX ClientAppId= ClientAppName= txnId=test1 sessionId=test2 method=test requestHeaders={x---geo-test=TEST, x--test=000, dsid=000188, postman-token=TEST, User-Agent=PostmanRuntime/7.20.1, mid=test x-gs-token=test altdsid=test, deflate, Content-Length=83, X-Real-IP=test, Content-Type=application/json, Cookie=SA-Locale=en_US; dslang=US-EN, Accept=/, Host=sse-ws-p189-test.apple.com ,no-cache,X-MMe-Client-Info= x-mme-client-info= X-MMe-Client-Info= <=Test OS;11.3;16G102> }
Here I would like to capture/Search for the 'Test OS;11.3'
and make it to Test-OS=11.3 and count and chart the Test-OS values (Please note 11.3 is variable value)
Then the I would like to chart the number of logs entries with Test-OS > 13.
extract check:
| makeresults
| eval _raw="loggerName=\"test\" DC=Test ENV=IT AppName=Test2 HostPort=9443 ClientIP=17.XXX.XX.XXX ClientAppId= ClientAppName= txnId=test1 sessionId=test2 method=test requestHeaders={x---geo-test=TEST, x--test=000, dsid=000188, postman-token=TEST, User-Agent=PostmanRuntime/7.20.1, mid=test x-gs-token=test altdsid=test, deflate, Content-Length=83, X-Real-IP=test, Content-Type=application/json, Cookie=SA-Locale=en_US; dslang=US-EN, Accept=/, Host=sse-ws-p189-test.apple.com ,no-cache,X-MMe-Client-Info= x-mme-client-info= X-MMe-Client-Info= <=Test OS;11.3;16G102> }"
| rex "Test OS;(?<Test_OS>[\d.]+)"
recommend:
your_search
| rex "Test OS;(?<Test_OS>[\d.]+)"
| stats count by Test_OS
| where Test_OS > 13
extract check:
| makeresults
| eval _raw="loggerName=\"test\" DC=Test ENV=IT AppName=Test2 HostPort=9443 ClientIP=17.XXX.XX.XXX ClientAppId= ClientAppName= txnId=test1 sessionId=test2 method=test requestHeaders={x---geo-test=TEST, x--test=000, dsid=000188, postman-token=TEST, User-Agent=PostmanRuntime/7.20.1, mid=test x-gs-token=test altdsid=test, deflate, Content-Length=83, X-Real-IP=test, Content-Type=application/json, Cookie=SA-Locale=en_US; dslang=US-EN, Accept=/, Host=sse-ws-p189-test.apple.com ,no-cache,X-MMe-Client-Info= x-mme-client-info= X-MMe-Client-Info= <=Test OS;11.3;16G102> }"
| rex "Test OS;(?<Test_OS>[\d.]+)"
recommend:
your_search
| rex "Test OS;(?<Test_OS>[\d.]+)"
| stats count by Test_OS
| where Test_OS > 13
Unless i am missing something, I cant see Test OS;11.3
in your event?
Added. Pls check.