I have an event which contains error reason codes of failed records . I have to extract these reason codes and get a count of each of these reason codes.
Hi @pradeepkm
is this a multline event ???
your search | rex field=_raw "Reason code::(?<Reason_code>[\w+ ]+)" |stats count by Reason_code
No all reason codes coming in single event .That’s where I have difficulty in gathering stats.
Hi @pradeepkm
just try the below search
index="response" sourcetype="new" | rex field=_raw "Reason code::(?<Reason_code>[\w+ ]+)" max_match=0 |stats count by Reason_code
i just ingested your data and ran the above search query jusr replace your search before the rex command
if this helps karma points are appreciated
Hi @pradeepkm,
to extract these error codes you have to create a field using a regex and than use a stats command to aggregate them.
Only as an example, if you want to take the oracle errors that are always "ORAXXXX" where XXXX is a four digit number, you should use a search like this:
index=your_index
| rex "?(<ora_error>ORA\d+)"
| stats count BY ora_error
To better help you I'd need a sample of your logs.
Ciao.
Giuseppe
This is how my event looks like
Processing started….
Record No 1
Reason code : :Component code not found
Record No.3
Reason code: :Address not found
Record No.7
Reason code::Address not found
processing ended at…