How to fetch relevant data from the different log ...

2chs · ‎11-25-2020

Hi There,

I need to fetch some data based on a unique ID from the different log lines can you please help me with the search query.

Example for relevant logs with unique ID will be:

Time=DDMMY ID=001 INFO Requester=Bob

Time=DDMMY ID=001 INFO Request Type=Normal

Time=DDMMYY ID=001 INFO Request Status=success

So, need them in this format

Time ID Requester Request Type Request Status

DDMMYY 001 Bob Normal Success

Please Help. Thanks in advance.

to4kawa · ‎11-25-2020

index=_internal | head 1 | fields _raw
| eval _raw="Time=DDMMY ID=001 INFO Requester=Bob
Time=DDMMY ID=001 INFO Request Type=Normal
Time=DDMMYY ID=001 INFO Request Status=success"
| multikv noheader=t 
| table _raw
| rex "(?<comment>(?# the logic))"
| kv
| stats last(Time) as Time values(Requester) as Requester values(Type) as  Request_Type values(Status) as Request_Status by ID

How to fetch relevant data from the different log lines based on a unique ID ?

eval

fields

regex

rex

stats

transaction