Is this a one time use extraction, or do you need to do this extraction on a regular basis? Also, is the JSON formatting always identical where it always begins with:
{"log":" \"status\" : \"END\"
If it's only a time time use, what if you treat the double-quotes as a delimiter of a multivalue string? Then the SPL will be something like below to spit out \"status\"
| makeresults
| eval aaa="{\"log\":\" \\\"status\\\" : \"END\",\",\"payload\":\"stdout\",\"time\":\"2021-08-13T11:54:17.255787345Z\"}"
| eval aaa="\\\"".mvindex(split(aaa, "\""), 4)."\""
Is this a one time use extraction, or do you need to do this extraction on a regular basis? Also, is the JSON formatting always identical where it always begins with:
{"log":" \"status\" : \"END\"
If it's only a time time use, what if you treat the double-quotes as a delimiter of a multivalue string? Then the SPL will be something like below to spit out \"status\"
| makeresults
| eval aaa="{\"log\":\" \\\"status\\\" : \"END\",\",\"payload\":\"stdout\",\"time\":\"2021-08-13T11:54:17.255787345Z\"}"
| eval aaa="\\\"".mvindex(split(aaa, "\""), 4)."\""
Can you please try this?
YOUR_SEARCH
| rex field=_raw "\\\\\"status\\\\\"\s\:\s\\\\\"(?<status>.*)\\\\\","
| stats count by status
My Sample Search :
| makeresults | eval _raw="{\"log\":\" \\\"status\\\" : \\\"END\\\",\",\"payload\":\"stdout\",\"time\":\"2021-08-13T11:54:17.255787345Z\"}"
| rex field=_raw "\\\\\"status\\\\\"\s\:\s\\\\\"(?<status>.*)\\\\\","
| stats count by status
KV
hi @rkishoreqa,
Use rex command.
| makeresults
| eval f="{\"log\":\" \"status\" : \"END\",\",\"payload\":\"stdout\",\"time\":\"2021-08-13T11:54:17.255787345Z\"}"
| rex field=f "\"status\"\s:\s\"(?<status>\w+)\""
If this reply helps you, a like would be appreciated.
I tried with below query, but it is not working.
index="dev" |rex field=f "\"status\"\s:\s\"(?<status>\w+)\"" |stats count by status.
Remove field=f in your query. For field, you need to specify the actual field name that exists in your index dev. Or don't specify if you are extracting values from _raw event.
Try without specifying field:
index="dev" | rex "\"status\"\s:\s\"(?<status>\w+)\"" | stats count by status
If you have backslashes in your data then,
index="dev" | rex "\"status\\\\\"\s:\s\\\\\"(?<status>[^\\\]+)"