Solved: Combine table rows

lgroot · ‎09-24-2015

Hi everyone,

I've got a question about a query i have made:

index=security-mijnssp "View rendered = /error.jspx" OR "Er is een fout opgetreden op de JSF pagina"  | rex "BSN=(?P<BSN>[^<]+) View" | rex "INFO  n.s.m.w.l(?P<INFO>[^<]+)"|rex "ERROR n.s.m.w.l(?P<ERROR>[^<]+)"|  table INFO,BSN, ERROR, _time

Is it possible to combine the results of this query in one row?
So that the INFO,BSN,ERROR and time are in one row?

somesoni2 · ‎09-24-2015

You would be able to combine this if they have a common field that can correlate them. From the example/screenshot, only common field I can see is _time, so my answer is based on _time, change the field if there are any other common fields.

Update
Actually BSN is the common field, so updating it to BSN

 index=security-mijnssp "View rendered = /error.jspx" OR "Er is een fout opgetreden op de JSF pagina"  | rex "BSN=(?P<BSN>[^<]+) View" | rex "INFO  n.s.m.w.l(?P<INFO>[^<]+)"|rex "ERROR n.s.m.w.l(?P<ERROR>[^<]+)"|  table INFO,BSN, ERROR, _time |stats values(*) as * by BSN

View solution in original post

somesoni2 · ‎09-24-2015

You would be able to combine this if they have a common field that can correlate them. From the example/screenshot, only common field I can see is _time, so my answer is based on _time, change the field if there are any other common fields.

Update
Actually BSN is the common field, so updating it to BSN

 index=security-mijnssp "View rendered = /error.jspx" OR "Er is een fout opgetreden op de JSF pagina"  | rex "BSN=(?P<BSN>[^<]+) View" | rex "INFO  n.s.m.w.l(?P<INFO>[^<]+)"|rex "ERROR n.s.m.w.l(?P<ERROR>[^<]+)"|  table INFO,BSN, ERROR, _time |stats values(*) as * by BSN

Combine table rows

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?