I need to findout errorcodes from logs and segregate them. Below log file is one of example logs.
2021-06-08T05:42:29.141140+00:00 DEBUG html5client-v3[19206]: [xid@1192 xid=S2TF6U5T--7 cid=Arris-110_20F19EB3C050 did= sid=5kCrKTc-K-4 hid="19206"] CONSOLE:0 (null) - 06-08-2021 05:42:29.141 DEBUG (SGUI.VENONA_ANALYTICS){"action":"error","data":{"category":"error","triggeredBy":"application","errorCode":"GEN-1016","errorType":"application","errorMessage":"We're sorry, we're unable to load your subscription info. Please try again later. \nReference Code: GEN-1016","success":false,
index=platform sourcetype=cloudtvapp NOT (host="*dev*")
| rex "\"errorCode\":\"(?<errorCode>[^\"]+)"
| table errorCode cid
Thank you for quick response @ITWhisperer
Its not printing the errorCode with respective cid value. Search and filter is happened but not printed with above search. Any inputs?
Is cid being extracted automatically or do you need to extract as part of your search?
Below search was helped to get the desired out put. but need to errorType filter in "rex". Can you guide me
index=platform sourcetype=cloudtvapp NOT (host="*dev*" OR host="*zod*")
| rex "\"errorCode\":\"(?<errorCode>[^\"]+)"
| search errorCode="*"
| stats count(errorCode) by errorCode host
cid was added automatically . But need to "errorType" and "errorMessage" with respective filter in "rex". Can you guide me
Basically i need to add more than one field search in "rex"
index=platform sourcetype=cloudtvapp NOT (host="*dev*" OR host="*zod*")
| rex "\"errorCode\":\"(?<errorCode>[^\"]+)\",\"errorType\":\"(?<errorType>[^\"]+)\",\"errorMessage\":\"(?<errorMessage>[^\"]+)"
| search errorCode="*"
| stats count values(errorType) as errorType values(errorMessage) as errorMessage by errorCode host
Thank you a lot
| rex "\"errorCode\":\"(?<errorCode>[^\"]+)"