I need a query to group similar stack trace across request (CR- Correlation Id) in a specific format:
Query:
index="myIndex" source="/mySource" "*exception*"
| rex field=_raw "(?P<firstFewLinesOfStackTrace>(.*\n){1,5})"
| eval date=strftime(_time, "%d-%m-%Y")
| head 3
| reverse
| table date, CR, count, firstFewLinesOfStackTrace
Format:
Date | CR | Count | Log |
01/12/22 | CR_1 CR-2 |
2 | StackTrace1 StackTrace2 StackTrace3 |
02/12/22 | CR_1 CR-2 CR-3 |
3 | DiffStackTrace1 DiffStackTrace2 DiffStackTrace3 |
Am not sure how to group these logs as each stack trace have _date as unique identifier, also how to get the result in above format (what to use stats, eventstats, table, etc.) pls help, thanks in advance.
@ravimishrabglr - I don't know the logs exactly here but I'll try to provide an approach that should work with what you are trying to solve:
I hope this helps!!!