I have events in my logs that look like
{
linesPerSec: 1694.67
message: Status:
rowCount: 35600000
severity: info
}
when i make a search like:
index="apps" app="my-api" message="*Status:*" | table _time, linesPerSec, rowCount
This is what my table ends up looking like
How do I get the number value away from the key for both linesPerSec and rowCount? I want to see all instances. I tried using values(linesPerSec) but that seemed to aggregate only unique.
Thanks,
Nate
Hey Nate,
This simple extraction should do the trick.
...BASE SEARCH...
| rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"
Hey Nate,
This simple extraction should do the trick.
...BASE SEARCH...
| rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"
Thanks for the response!
If I wanted to get those values into the table how would I go about that?
index="apps" app="my-api" message="*\Status:*" | table linesPerSec, rowCount | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"
I still get the table values as the key/value.
No problem!
Since the fields don't exist until after the extraction is complete, you'll need to move the table to be after your extraction in order to see them.
This should correct the issue:
index="apps" app="my-api" message="*\Status:*" | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)" | table _time linesPerSec, rowCount
Let me know if there are any problems!
Just tried that. Still doesn't seem to like to separate the values.
Let's try a different approach -- extracting directly from the fields themselves.
Could you give this a try for me?
index="apps" app="my-api" message="*\Status:*"
| rex field=linesPerSec "(?<LPS>[\d\.]+)"
| rex field=rowCount "(?<RC>\d+)"
| table _time LPS RC
Since I'm not exactly sure if the problem is coming from the fields or the extraction, I'm just going to bypass both and create two new fields: LPS (linesPerSec) and RC (rowCount).
These should contain the correct values.
That worked! Thanks so much!
You could use a regex to extract just the number.|rex field=_raw "linesPerSec (?<linesPerSec>\d+$)"|rex field=_raw "rowCount (?<rowCount>\d+$)"
EDIT: Cant get it to show but between the ? and \d would be the value name you want to use in the search surrounded by <>.
This would get you just the number values. If you are using the log a lot also you should look at setting up a field extraction; it would make it easier in the future.