I've read a few posts here already but hoping to clarify some items that I have. I need regex (rex) a raw or list msg then perform a "stats count by field" on that field found.
Thanks!
LIST VIEW: (with escape characters)
\"processingStatus\":\"BIDDING_STARTED\"
RAW VIEW:
msg: 2018-10-11 15:32:07.973 INFO 14 --- [aaa-8080-exec-6] a.b.c.shoppingCartController : Response = [{"resourceId”:”f133b31e0-1234-1234-1234-rt1204bf8122”,”customerId":4194562,"consumerKey":"f133b31e0-1234-1234-1234-rt1204bf8122","externalId":"SHOEX:201810090738498037101234: 201810090738498037101234","shoes":{"relativeId":"f133b31e0-1234-1234-1234-rt1204bf8122","externalId":"SHOEX:521900”,”name":"VaporFly","gender":"MALE","year":1,"birthDate":{"year”:2018,”month”:9,”day":1},"classification":{"model":"Runnning","brand":"NIKE","environment":"Road"},"classifications":{"model":"Runnning","brand":"NIKE","environment":"Road"}},"person":{"relativeId":"5e3b69e5-8586-4bbf-99fd-a42f38609c0b","externalId":"SHOEX:568156","name":{"first":"Kipchoge","last":"Eliud"},"postalAddresses":[{"parentResourceId":"5e3b69e5-8586-4bbf-99fd-a42f38609c0b","streetAddress":["123 INTERNATIONA PKWY"],"city":"New York","state":{"name":"New York","code”:”NY”},”postalCode”:”12345”,”country":{"name":"UNITED STATES","iso2code":"US","iso3code":"USA","system":"http://abc-open.org/iso/3166/"}}],"electronicAddresses":[{"parentResourceId":"f133b31e0-1234-1234-12... Weight","system":{"identifier":"http://shoe”,”name”:”VAPORFLY FLYKNIT”,”version":"V2”}}],”text":"Weight"},"value":{"quantity”:7.9,”uncertainty":0.0,"units":{"symbol":"lb","unitSystem”:”METRIC”}}}]},”createdDateTime":{"date":{"year":2018,"month”:10,”day”:1},”time":{"hour":14,"minute":48,"second":5,"nano”:124000000}},"updatedDateTime":{"date":{"year":2018,"month":10,"day":9},"time":{"hour":14,"minute":48,"second":11,"nano":377000000}},"status":"Processed","processingStatus”:”BIDDING_STARTED”,”links":[{"rel":"self","href":"https://coding.io/v1/ShoppingCarts/a47b31e0-7443-48a9-8d98-ac3204bf824a","template":{"variables":{"v...]
Try this regex:
|rex "processingStatus”:”(?<processingStatus>[^\”]+)"
Rex seems to be ok but I'm not seeing any results parsed or when I add the stats count after?
|rex "processingStatus”:”(?[^\”]+)" | stats count by processingStatus
@elheffe, try exactly same command what I shown with <processingStatus>
so that it will store extracted value in field name processingStatus then you can try stats command
|rex "processingStatus”:”(?<processingStatus>[^\”]+)"| stats count by processingStatus
@493669
I think one of the issue is our Prod defaulting the view to "List" view instead of raw view. This is one of the reason that I might not getting the actual hit or stats based on the query we both have.
Any idea on how I can indicate that I should be in "raw" result mode?
Below is a sample list view as default mode coming up to our prod splunk - picture that value with processingStatus field.
https://answers.splunk.com/storage/temp/256156-json.jpg
on above i am not able to find processingStatus
field..
and secondly if you want statistics and not raw event then click on statistics tab or you can search your query in smart mode instead of verbose mode.