csv log file data
WIWEB-A WIWEB-A_1 PASSED
WIWEB-A WIWEB-A_2 FAILED
WIWEB-A WIWEB-A_3 PASSED
WIWEB-B WIWEB-B_1 PASSED
WIWEB-C WIWEB-C_1 SKIPPED
PI-A PI-A_1 CANCELLED
PI-A PI-A_2 PASSED
PI_B PI-A_1 CANCELLED
DC_A DC_A_1 FAILED
DC_B DC_B_1 FAILED
We are expecting the results to come in the below format.
1)
WIWEB* 5
PI* 3
DC* 2
2)
PASSED 3 1 0
FAILED 1 0 2
CANCELLED 0 2 0
SKIPPED 1 0 0
can you please suggest queries for the above two report formats?
Thanks
Hi, thanks for the reply. However, we would like to group the value in PROJ_NAME field such as all value starting with WIWEB... as group-1, all DC.... as group-2, all PI... as group-3.
Then have count from TAT_NAME filed group wise along with count of status for that group.
Name: total
group-1 5
group-2 3
group-3 2
status: group-1 group-2 group-3
passed 3 1 0
failed 1 0 2
Hope this clarifies.
sourcetype="answerstest" | rex field=PROJ_NAME "(?
yields the following:
PROJ count
1 DC 2
2 PI 3
3 WIWEB 5
Unfortunately, my cut and paste is being re-formatted.
Again, make sure that PROJ is in upper case within the angle brackets that are in the rex command.
The following search:
sourcetype="answerstest" | rex field=PROJ_NAME "(?
uses a regex to pull out the prefix of the PROJ_NAME field and create a new field called PROJ which is used in the results table (which should match your second example)
STATUS WIWEB PI DC TOTAL
1 PASSED 3 1 0 4
2 FAILED 1 0 2 3
3 CANCELLED 0 2 0 2
4 SKIPPED 1 0 0 1
5 TOTAL 5 3 2 10
I used the following data to test.
11/16/11 8:58:09.000 AM, WIWEB-A, WIWEB-A_1, PASSED
11/16/11 8:58:09.000 AM, WIWEB-A, WIWEB-A_2, FAILED
11/16/11 8:58:09.000 AM, WIWEB-A, WIWEB-A_3, PASSED
11/16/11 8:58:09.000 AM, WIWEB-B, WIWEB-B_1, PASSED
11/16/11 8:58:09.000 AM, WIWEB-C, WIWEB-C_1, SKIPPED
11/16/11 8:58:09.000 AM, PI-A, PI-A_1, CANCELLED
11/16/11 8:58:09.000 AM, PI-A, PI-A_1, PASSED
11/16/11 8:58:09.000 AM, PI-B, PI-B_1, CANCELLED
11/16/11 8:58:09.000 AM, DC_A, DC_A_1, FAILED
11/16/11 8:58:09.000 AM, DC_B, DC_B_1, FAILED
i created field extractions to match your fieldnames.
Using your fieldnames above, the first table should be:
sourcetype="yoursourcetype" | rex field=PROJ_NAME "(?
For the second table:
sourcetype="yoursourcetype" | rex field=PROJ_NAME "(?
or
sourcetype="yoursourcetype" | rex field=PROJ_NAME "(?
You'll get row and column totals automatically.
Make sure PROJ is upper case within the angle brackets in the rex command. There was an issue with the pasted text.