Archive
Highlighted

Trying to remove certain strings in a aggregated operation

Path Finder

Hello,

From the below query

  1. I am trying to remove certain strings from a field "message" or find the a specific string seems does not working, tried including but the result still has values which has this message
  2. At the same time i tried using the command to remove the strings which has in the field message but still does not seem to work

index=apps
sourcetype="pos-generic:prod" Received request to change status=CONFIRMED OR status=REJECTED
partneraccountname="Level Up"
| stats count by status, merchantId
| xyseries merchantId, status, count
| eval result = (REJECTED)/((CONFIRMED+REJECTED))*100
| fillnull value=100 result
| eval count = CONFIRMED + REJECTED
| where count >= 10
| where result >= 20

Tags (1)
0 Karma
Highlighted

Re: Trying to remove certain strings in a aggregated operation

Builder

Just a few observations from what you've posted.

  1. Consider putting this in double quotes: Received request to change
  2. For readability, make your stats say stats count AS Volume by status,count Then you can use Volume later on with less confusion.
  3. The stats command destroys native fields and only give you aggregated fields it produces. So you cannot access REJECTED or CONFIRMED.
  4. Can you please post what you get after your xyseries line and what you want to do with those values? Feel free to dummy up the data to hide confidential info.
Highlighted

Re: Trying to remove certain strings in a aggregated operation

Path Finder

So when I run the query mentioned above i get the following result

alt text

The merchantID 1684264 has message "xyz" and also have REJECT count as 6. I verified all the REJECT of this merchantId has the same message.

Now I am trying to execute the query as below

index=apps
sourcetype="pos-generic:prod" Received request to change status=CONFIRMED OR status=REJECTED AND message!="xyz"
partneraccountname="Level Up"
| stats count by status, merchantId
| xyseries merchantId, status, count
| eval result = (REJECTED)/((CONFIRMED+REJECTED))*100
| fillnull value=100 result
| eval count = CONFIRMED + REJECTED
| where count >= 10
| where result >= 20

My expectation is not to show the result of merchantId = 1684264 as it has all the 6 REJECT count as this message (my expectation is getting fulfilled). When I was trying yesterday it was not, may be I was doing something wrong.

Now what I want to try is, instead of passing an exact string for the message field, i would want to pass something like message contains something like "item". So it might be "some items missing" or "items not there". So i just want to use "item" as the common

0 Karma
Highlighted

Re: Trying to remove certain strings in a aggregated operation

Path Finder

I tried using but it is not giving me any result

0 Karma
Highlighted

Re: Trying to remove certain strings in a aggregated operation

Path Finder
0 Karma
Highlighted

Re: Trying to remove certain strings in a aggregated operation

Path Finder

ok i used something like
| regex message != "item"

not sure if this would have any further complication. Checking

0 Karma