I have a log with requests with an ordernumber and a response. The response is: 100 - success or 1400,1401,1402 - various errors, eg: 1401 - re-ordering not possible).
2013/10/07 13:42:57,Request with orderNr:13014471; ResponseCode:1401
2013/10/07 13:42:56,Request with orderNr:13014471; ResponseCode:1401
2013/10/07 13:42:55,Request with orderNr:13014471; ResponseCode:100
2013/10/07 13:42:17,Request with orderNr:13035512; ResponseCode:100
2013/10/07 13:40:36,Request with orderNr:13035513; ResponseCode:100
I group similar requests in one transaction:
Request with orderNr | rex field=_raw "Request with orderNr:(?<orderNr>.*); ResponseCode:(?<response>.*)" | transaction orderNr maxspan=1h
How can I concatenate the subsequent values of the ResponseCode field within each transaction? With above I want to make a variable per transaction that contains the values "100 1401 1401", "100", "100"?
I want to count these and put them in a table:
subseqresp count
100 2
100 1401 1401 1
Any help is welcome!
Solution
It works better without a transaction:
Request with orderNr | rex field=_raw "Request with orderNr:(?<orderNr>.*); ResponseCode:(?<response>.*)" | stats list(response) as subseqresp by orderNr | mvcombine subseqresp | chart count by subseqresp
... View more