How to use rex command to extract two fields and c

2019-09-15 02:40发布

I have a log statement like 2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{"message":{"TransactionStatus":true,"TransactioName":"removeLockedUser-1498029828160"}} . How can i extract TransactionName and TranscationStatus and print in table form TransactionName and its count.

I tried below query but didn't get any success. It is always giving me 0.

sourcetype=10.240.204.69 "TransactionStatus" | rex field=_raw ".TransactionStatus (?.)" |stats count((status=true)) as success_count

标签： splunk splunk-query rex

1条回答

等我变得足够好

2楼-- · 2019-09-15 03:03

Solved it with this :

| makeresults | eval _raw="2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{\"message\":{\"TransactionStatus\":true,\"TransactioName\":\"removeLockedUser-1498029828160\"}}" | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | rex "{\"TransactionStatus\":(?[^,]),\"TransactioName\":\"(?[^\"])\"" | chart count OVER TransactioName BY TransactionStatus

0人赞添加讨论(0) 举报

How to use rex command to extract two fields and c

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间