Hi guys,
First off I'd like to apologize for the lopsided question as I am kinda unsure of what I was asked to do! Alright, so Im going to post some logs and I need help from you guys to pull out some info from them. I need to pull out the bold text for all three logs, and was wondering if it was possible to put all of it into one search.
I am trying to get EmployeeDocumentsServicesImp.getDocument() also with the Elapsed time.
This should work:
<search that finds all 3 logs> | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | table service elapsedTime
This should work:
<search that finds all 3 logs> | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | table service elapsedTime
Hi Rich and thanks for your anwser. I tried to execute that search and got back an error message. The message is as follows:
Error in 'search' command: Unable to parse the search: Comparator '<' has an invalid term on the left hand side.
The first part of the search is a placeholder. Since only you know how your data is stored, you need to fill in the <search that finds...> part.
So I tried to do as you said and this is my search :
index=Doccloud_main sourcetype="doccloud-dit_sb" | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | table service elapsedTime
It works, but it only disp;lays getDocument and getDocument PDF in a weird format. I was wondering if i could convert this data to display into a graph as I wanted to include it into the dashboard. I also want to include a search for EmployeeDocumentServceImp.listDocuments().
To get a graph, replace the table command with chart avg(elapsedTime) by service
or timechart values(elapsedTime) by service
.
To add the new service, change the rex string to "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]"
.
So I tried entering in the same which you just told me about, and got the same results as before. The results in a table going from 1-53 and not displaying anything after that. The search is :
index=doccloud_main sourcetype="doccloud-dit_sb" | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]"| chart avg(elapsedTime) by service
Have you clicked the Visualizations tab?
So it is displaying getDocument and getDocument PDF, but it is not listing listDocuments. Here is the code:
index=doccloud_main sourcetype="doccloud-dit_sb" | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | timechart values(elapsedTime) by service
Carefully compare the service names in your data with the names in the regex. Perhaps you need to change Imp\.listDocuments
to Imp[l]?\.listDocuments
.
Yup! That was the last leg! Thanks alot
You're welcome. Please accept the answer.