topic Re: Need help with log having multiple occurrence of same field in Getting Data In

Need help with log having multiple occurrence of same field

abishekmaggo — Tue, 29 Sep 2020 18:56:55 GMT

I have following logs where field4 is coming twice in each log line.

Example:
2018-04-06T23:01:36.264+0000 logLevel=INFO Response=(( filed1=XXX, field2=ZZZZ), field3=jeSession, field4=abc_xxx, field6=ddd.com, field6=)) field7=service1 field4=xyz_xxx field8=ser1
2018-04-06T23:01:36.264+0000 logLevel=INFO Response=(( filed1=YYY, field2=ZZZZ1), field3=tuSession, field4=abc_yyy, field6=ccc.com, field6=)) field7=service2 field4=xyz_yyy field8=ser2

How I can make sure it always pick first field4 for value (one with value as "acd_xxx", "abc_yyy"). I tried using mvindex but it works with multiple value in field itself (e.g. field4=xxx,yyy)

I want to display count by first field4 only

index=XXXXX | eval res=mvindex(field4,0) | stats count by res

Re: Need help with log having multiple occurrence of same field

adonio — Sat, 07 Apr 2018 01:52:10 GMT

hello there,

i am positive there other ways to solve it, here is a quick one assuming your data looks always like your samples
use the |rex command to point only to your first field4 maybe something like this:

index = XXXXX
| rex "field3=\S+,\sfield4=(?<field4>\S+),"
| stats count by field4

see link:
https://regex101.com/r/uMivWN/1
note: my regex might not be the best one

hope it helps

Re: Need help with log having multiple occurrence of same field

niketn — Sat, 07 Apr 2018 16:23:32 GMT

@abishekmaggo, first occurrence of field4 is followed by field6 while the second occurrence of field4 is followed by field8. So maybe you can use that to your advantage.

<yourBaseSearch>
| rex "field4=(?<field4>[^,]+),field6="