I have following data and :
...... 2021-06-18 21:05:45.037 +02:00 [Information] Status=[1111111111111111111111111111111111111111111111111111111111111111]" 2021-06-18 21:05:45.037 +02:00 [Information] Status=[1111111111111111111111111111111111111111111111111111111111111111]" 2021-06-18 21:05:45.037 +02:00 [Information] Status=[1111111111111111111111111111111111111111111111111111111111111111]" ..... |
I need to extract the Status field from log data and each character of value belongs to one Item.
Example: 1 is status OK for Item_1, second 1 is status OK for Item_2, etc. * (Total Items=64)
Finally I want to extract the raw data and convert to Status and link to a Item:
_time | Items | Status |
2021-06-18 21:05:45.037 | Item_1 | Ok |
2021-06-18 21:05:46.037 | Item_1 | Not Ok |
2021-06-18 21:05:47.037 | Item_2 | Ok |
2021-06-18 21:05:49.037 | Item_n | .... |
....
I have tried the following Script without success:
source="C:\\Logs\\*" host="392" index="Items"
| eval length=len(Status)
| where length > 60
| eval Item_1=substr(Status , 2 ,1), Item_2=substr(Status , 3 ,1), Item_3=substr(Status , 4 ,1),Item_4=substr(Status , 5 ,1),
|eval fieldnames = ""
|foreach Item_* [ eval "<<FIELD>>" = case(<<FIELD>> == 0,"Not Ok",<<FIELD>>== 1, "Ok",<<FIELD>>== 2 ,"Not Known")| eval test=<<FIELD>>]
|foreach Dump_Chute* [ eval fieldnames= fieldnames."<<FIELD>>;"]
|eval fieldnames = split(fieldnames, ";")
|table fieldnames test _time
Try something like this
| makeresults
| eval _raw="2021-06-18 21:05:45.037 +02:00 [Information] Status=[1111111111111111111111111111111111111111111111111111111111111111]"
| rex "Status=(?<Status>.*)"
| eval Status=split(trim(Status,"[]"),"")
| streamstats count as row
| mvexpand Status
| streamstats count as item by row
| eval item="item_".item
| eval Status=case(Status==0,"Not OK",Status==1,"OK",Status=2,"Not Known")