Solved: How to extract, convert and show data

Sentira · ‎06-23-2021

I have following data and :

......
2021-06-18 21:05:45.037 +02:00 [Information] ChuteAndStatus=[20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020]"
2021-06-18 21:05:45.037 +02:00 [Information] ChuteAndStatus=[10202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020]"
2021-06-18 21:05:45.037 +02:00 [Information] ChuteAndStatus=[00202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020]"
.....

I need to extract the "First_Status" and "Second_Status" of a Chute and the field from log data and each 2 characters of value belongs to one Item.
Example: first character set "20", 2 is for First_Status and means OK and 0 is for Second_Status and means NOT OK for Item_1. (Total Items= 128/2 = 64)
Finally I want to extract the raw data and convert to First_Status , Second_Status and link them to a fix Item
(Item_1...Item_64):

_time	Items	First_Status	Second_Status
2021-06-18 21:05:45.037	Item_1	Ok	Ok
2021-06-18 21:05:46.037	Item_1	Not Ok	Not Ok
2021-06-18 21:05:47.037	Item_2	Ok	Ok
2021-06-18 21:05:49.037	Item_n	....	.....

....

ITWhisperer · ‎06-23-2021

| makeresults 
| eval _raw="2021-06-18 21:05:45.037 +02:00 [Information] ChuteAndStatus=[20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020]"


| rex "ChuteAndStatus=\[(?<ChuteAndStatus>[^\]]+)"
| rex max_match=0 field=ChuteAndStatus "(?<ChuteAndStatus>\d\d)"
| streamstats count as row 
| mvexpand ChuteAndStatus
| streamstats count as item by row
| eval item="item_".item
| eval First_Status=substr(ChuteAndStatus,1,1)
| eval Second_Status=substr(ChuteAndStatus,2,1)
| eval First_Status=case(First_Status==0,"Not OK",First_Status==1,"OK",First_Status=2,"Not Known")
| eval Second_Status=case(Second_Status==0,"Not OK",Second_Status==1,"OK",Second_Status=2,"Not Known")

View solution in original post

ITWhisperer · ‎06-23-2021

| makeresults 
| eval _raw="2021-06-18 21:05:45.037 +02:00 [Information] ChuteAndStatus=[20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020]"


| rex "ChuteAndStatus=\[(?<ChuteAndStatus>[^\]]+)"
| rex max_match=0 field=ChuteAndStatus "(?<ChuteAndStatus>\d\d)"
| streamstats count as row 
| mvexpand ChuteAndStatus
| streamstats count as item by row
| eval item="item_".item
| eval First_Status=substr(ChuteAndStatus,1,1)
| eval Second_Status=substr(ChuteAndStatus,2,1)
| eval First_Status=case(First_Status==0,"Not OK",First_Status==1,"OK",First_Status=2,"Not Known")
| eval Second_Status=case(Second_Status==0,"Not OK",Second_Status==1,"OK",Second_Status=2,"Not Known")

How to extract, convert and show data

eval

fields

regex

table

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!