如何在一个搜索查询中使用rex命令提取两个字段并绘制两个字段的图表? [英] How to use rex command to extract two fields and chart the count for both in one search query?

问题描述

我有一条日志语句，如2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181-{"message":{"TransactionStatus":true，"TransactioName":"removeLockedUser-1498029828160"} }. 如何提取TransactionName和TranscationStatus并以表格形式TransactionName及其计数进行打印.

I have a log statement like 2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{"message":{"TransactionStatus":true,"TransactioName":"removeLockedUser-1498029828160"}} . How can i extract TransactionName and TranscationStatus and print in table form TransactionName and its count.

我在下面的查询中尝试过，但是没有成功.它总是给我0.

I tried below query but didn't get any success. It is always giving me 0.

sourcetype = 10.240.204.69"TransactionStatus" | rex field = _raw".TransactionStatus(?.)" |以status count((status = true))作为成功计数

sourcetype=10.240.204.69 "TransactionStatus" | rex field=_raw ".TransactionStatus (?.)" |stats count((status=true)) as success_count

推荐答案

解决了这个问题:

|结果 | eval _raw ="2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181-{\" message \:{\" TransactionStatus \:true，\" TransactioName \:\" removeLockedUser-1498029828160 \}}" |重命名为COMMENT AS上面的所有内容都会生成示例事件数据；下面的所有内容都是您的解决方案" | rex"{\" TransactionStatus \:(?[^，] )，\" TransactioName \:\"(?[^ \] )\" |图表计数超过TransactioName按TransactionStatus

| makeresults | eval _raw="2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{\"message\":{\"TransactionStatus\":true,\"TransactioName\":\"removeLockedUser-1498029828160\"}}" | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | rex "{\"TransactionStatus\":(?[^,]),\"TransactioName\":\"(?[^\"])\"" | chart count OVER TransactioName BY TransactionStatus

这篇关于如何在一个搜索查询中使用rex命令提取两个字段并绘制两个字段的图表?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！