- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vinay4444
Explorer
10-13-2015
01:00 PM
Hi
We have field that has data in different formats (having values in [] but other simply name) e.g.
itemkey = ms.db.cpu_usage_percent[WL_DBA]
itemkey = ms.db.locks_count
I use the search below to get distinct metrics name stripping out workload [WL_DBA] but it does not count metrics without [] like ms.db.locks_count how do I get counts of both together?
index=xxxx sourcetype="xxx" value >= 0.000 | rex field=itemKey (?<metric>.)[(?<space>.)] | dedup metric | stats count(metric)
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-13-2015
01:05 PM
Try something like this
index=xxxx sourcetype="xxx" value >= 0.000 | rex field=itemKey "(?<metric>[^\[]*)" | dedup metric | stats count(metric)
OR
index=xxxx sourcetype="xxx" value >= 0.000 | eval metric=replace(itemKey,"(.*)\[.*\]","\1") | stats dc(metric)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-13-2015
01:05 PM
Try something like this
index=xxxx sourcetype="xxx" value >= 0.000 | rex field=itemKey "(?<metric>[^\[]*)" | dedup metric | stats count(metric)
OR
index=xxxx sourcetype="xxx" value >= 0.000 | eval metric=replace(itemKey,"(.*)\[.*\]","\1") | stats dc(metric)
