In the following sample log statement:
May 5 13:23:25 172.29.196.32 May 05 13:23:24 Production_EXT_P1 [0x80000001][xsltmsg][notice] mpgw(cfw): trans(7649887)[response][206.201.102.59] gtid(7649887): clientCN:interface2018.meddata.org|version:2|HTTPVerb:GET|inTime:2015-05-05T13:23:24.045|uri:/member/alerts?&memberID=12314289&offset=0&limit=100&numberOfDays=365|reqLatency:3|appLatency:658|resLatency:0|httpCode:200
Log data from clientCN has been extracted into a field, say, DX_XSLTLog. Therefore DX_XSLTLog field has the following:
clientCN:interface2018.meddata.org|version:2|HTTPVerb:GET|inTime:2015-05-05T13:23:24.045|uri:/member/alerts?&memberID=12314289&offset=0&limit=100&numberOfDays=365|reqLatency:3|appLatency:658|resLatency:0|httpCode:200
Questions are..
How to remove the uri params and just get the context itself, /member/alerts, in this case.
How to tokenize this key value data into columns and group by clientCN, uri and httpCode for a count
P.S: I've tried with extract pairdelim="|", kvdelim=":" with no luck (it removed the inTime and clientCN fields - not sure why)
... View more