I have the following event being returned (any event that includes "Streaming"):
Streaming 29 items to https://test.url.com/api/reginvolved/System/Legacy
I need the number after Streaming, in this case 29 (it can potentially be any number), extracted so I can add it up across all "Streaming" events.
It would also be helpful if the url could be extracted as well and I could potentially add up the "Streaming" number based on the urls
Thanks in advance!
If you have similar syntax for all the events, then you can get the count from the line with a regex like the following:
... | rex "Streaming\s+(?P<cnt>\d+)\sitems" | stats sum(cnt)
If your data varies by much, you should be able to make appropriate modifications to the
rex. To get the URL as well, you can do it like the following:
... | rex "Streaming\s+(?P<cnt>\d+)\s+items\s+to\s+(?P<url>http\S+)" | stats sum(cnt) by url
or something similar.
rex command makes this easy at search time. Assuming there is nothing after the URL, this should get you started.
index=foo | rex "Streaming\s(?<Streaming>\d+)\sitems\sto\s(?<URL>.*)" | ...