Hi,
I have log lines that looks like this
Fetching documents "FileName1.doc", "FileName2.xls", "FileName10.jpg", FileName342.docx" <ProcessID>
My goal is to find how many file names there are per ProcessID, given that each name is quoted and separated by a comma and a space. How can I accomplish that?
Thanks!
If the file names are bound by the phrase "Fetching Documents" and the "<ProcessID>", then capturing the names, converting to a list and then enumerating the items in that list will do.
At search time you can catch the data with a runtime extraction:
sourcetype="answers-1371175757" | rex field=_raw "Fetching\sdocuments\s(?<FileNames>.+?)\s+\<(?<ProcessID>.+?)\>" | table FileNames ProcessID
There are, of course, multiple ways of doing that efficiently and you can always improve on that method. This will render something like this:
Instead of a table use makemv to convert the field to a list -ensure you delimit the members of the list by a comma.
| makemv delim="," FileNames
At this point, enumerate using stats:
| stats count(FileNames) AS count by ProcessID
All together, it should look something like this:
sourcetype="answers-1371175757" | rex field=_raw "Fetching\sdocuments\s(?<FileNames>.+?)\s+\<(?<ProcessID>.+?)\>" | makemv delim="," FileNames | stats count(FileNames) AS count by ProcessID
And, it should produce something like this:
gc