1 Solution
I think you have to extract message value from raw. Bcoz it looks _raw is not a valid json.
Can you please try this?
| rex field=_raw "message:(?<message>.*)}"
| eval extended_message= case(
match(_raw,"AZK"),"Message AZK",
match(_raw,"BCK"),"Message BCK",
1=1, message)
| stats count as nombre by extended_message
| sort nombre desc
| table extended_message, nombre
My Sample Search :
| makeresults
| eval raw="{message:AZK} x 10|{message:BCK} x 5|{message:C} x 3", raw=split(raw,"|")
| mvexpand raw
| rename raw as _raw
|rename comment as "upto this is sample data"
| rex field=_raw "message:(?<message>.*)}"
| eval extended_message= case(
match(_raw,"AZK"),"Message AZK",
match(_raw,"BCK"),"Message BCK",
1=1, message)
| stats count as nombre by extended_message
| sort nombre desc
| table extended_message, nombre
I hope this will help you.
Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
I think you have to extract message value from raw. Bcoz it looks _raw is not a valid json.
Can you please try this?
| rex field=_raw "message:(?<message>.*)}"
| eval extended_message= case(
match(_raw,"AZK"),"Message AZK",
match(_raw,"BCK"),"Message BCK",
1=1, message)
| stats count as nombre by extended_message
| sort nombre desc
| table extended_message, nombre
My Sample Search :
| makeresults
| eval raw="{message:AZK} x 10|{message:BCK} x 5|{message:C} x 3", raw=split(raw,"|")
| mvexpand raw
| rename raw as _raw
|rename comment as "upto this is sample data"
| rex field=_raw "message:(?<message>.*)}"
| eval extended_message= case(
match(_raw,"AZK"),"Message AZK",
match(_raw,"BCK"),"Message BCK",
1=1, message)
| stats count as nombre by extended_message
| sort nombre desc
| table extended_message, nombre
I hope this will help you.
Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
