I have an event for example:
request="GET /?act=auth&url=auth&email=auth&type=auth&status=auth HTTP/1.1" status=403 reqid="xxxxxxxxxx"
I need status to bt 403, not auth.
I am executing the query
index="abc" | eval status = mvindex(status,-1) | status count by status
I need to return 403 with count 1 but it is returing auth with count 1
@to4kawa Please check
index="abc"
| rex "\sstatus=(?<status>\d+)\s"
| stats count by status
Why is the `status` a multiple value?
There is something wrong with the field values.
I have no choice but to re-extract it.
index="abc"
| rex "\sstatus=(?<status>\d+)\s"
| stats count by status
Why is the `status` a multiple value?
There is something wrong with the field values.
I have no choice but to re-extract it.
what's your current query?
Current query
index "abc" | eval status = mvindex(index,0) | stats values(status)
This should return auth
you said
I execute multiple queries
1) stats count by the status it returns auth
2) tried also mvindex(status,-1) to get the last index that didn't work it return auth
3) stats values(status) return auth
but the query you display is
index "abc" | eval status = mvindex(index,0) | stats values(status)
Which is true?
If you're presented with a query that doesn't work, I don't know what it is.