So I ended up using using transaction command before using the streamstats. However, I ended up with this table format.
app app1 start_time end_time
A. A. 1234 1234
B. B. 1238. 1253
C. C. 1345. 1345
So now I need to check if both start_time and end_time have the same values and if yes, remove it in the final table. Seems that's the final step for me.
Thanks
... View more
I have this scenario:
log 1: contains -
message: "app started"
_time: 1234
log 2:
message: "ended"
_time: 1235
rex to extract app from log1 and name it app|eval start_time=strftime(_time, "%d-%m-%Y %H:%M:%S") | rex to extract ended from log2 and name it app1|eval end_time=strftime(_time, "%d-%m-%Y %H:%M:%S")| stats values(app) AS app values(app1) as app1 values(start_time) values(endtime) by _time
So when I extracted value of message and time in both logs, I end up in a situation with something like:
app app1 start_time end_time
A 1234 1234
A 1235 1235
What I am looking for this:
app app1 start_time end_time
A A 1234 1235
The first occurence of A in app field will be the start details and the first occurence of A in app1 will have the end_time and both should be on the same row. After that, go to the next row and repeat for other occurence of A or what ever is in app field and app1 field in the same way.
I would like your help on this.
Thanks
... View more
No, that's not what I want. Doing a stat count by classification lists Boy,Girl,Man under Classification. I want to split the match into fields if possible, then do stats count on the new fields
... View more
Is it possible to do something like this:
...|eval Classification=case(match(class,"Boy"),"Boy",match(class,"Girl"),"Girl",match(class,"Man"),"Man") |code_I_am_looking_for | stats count by Boy,Girl,Man
Thanks in advance
... View more
Hi J, is there a way of combining two rex searches together say the first one like above and then I have this second rex "[Status] .+? - (?.+)" | code that combines message and output into one name (outMessage)
... View more
This should be an easy thing to do but obviously, I am missing it. I need to extract "cannot be located"
c.f.a.k.m.SessionDaoImpl - The owner with id: s3498-34ef-034456d-c65a5678-fcd4-11e5-a5d4f cannot be located
[2016-04-07 15:41:44,760]
Here is my code:
my search | rex "c\.f\.a\.k\.m\.SessionDaoImpl\s\-\sThe\sowner\swith\sid:\s[\w+\d+]\s(?<captureThis>\w+)"\[
Thanks in advance
... View more
I need a way of using AND in the eval function case.
For Example:
...mysearch | eval Path = case(Path=="my/path" AND Action=="check", "Yours is available", Path=="your/path" AND Action=="didnotcheck", "Mine is available" )
This did not work for me, so it seems I am doing something wrong. Thanks in advance
... View more
I am trying to extract the key/value pairs in this Json field:
[DataJson={"Code":"Error","Reason":"Failed
to locate your record. Message [No
record]"}]
I tried doing this:
spath | rename Code AS Code, Reason AS Reason | table _time, Code, Reason
I only get values for _time, but not for Code and Reason. I would appreciate your help.
Thanks in advance
... View more
Say I have this data:
c.i.m This is just a sample 23456 Yes it is true.
My question is how do I extract 23456 and pass it to a new field since there is no key-value pair in this scenario? I would also want to do a count on the new field.
Thanks and please I would not mind some explanation on your code too.
... View more
I have 2 fields like these:
For Field 1:
type=Intelligence
Field 2:
[abcd=[type=High] [Number=3309934] ]
I know I can search by type but there is another field named also named type so if I do
| ...stats count by type
I would get:
Intelligence
How do I specifically extract High from Field 2 (Typing High in the search is not an option because you could have type=Small
Also, using this code:
| ...stats count by abcd
produces : type=High
I only want to see High and not "type="
If you can provide a workable solution either using rex and eval or another code, it would be appreciated.
Thanks in advance
... View more