I have following pattern in my logs and i have need to sum up the numeric values. I want to sum up how many products persisted by evaluating following log statment?
2020-03-25 02:48:29.673 INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl : Total number of manual products persisted - 50
What would be the right way to sum up persisted product? In above example 50 products got persisted. So considering following logs, my requirement is to get sum of 150 product persisted.
2020-03-25 02:18:29.673 INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl : Total number of manual products persisted - 50 2020-03-25 02:28:29.673 INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl : Total number of manual products persisted - 40 2020-03-25 02:38:29.673 INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl : Total number of manual products persisted - 60
Do need to add any field with eval expression? if yes how to achieve it?
Assuming you have the persisted value extracted as 'persisted' then you can get the sum using
| stats sum(persisted) as TotalPersisted.
I have extracted but not sure if that work because it has string literals as well as numeric values. How to read numeric value from extracted field? Sorry i am very new to this techonlogy.
In your example logs, the persisted field is only numeric so a proper extraction should not have non-numeric values. You may need to further process the field to eliminate non-numeric values.
First create an
field extraction for this
sourcetype so that
persisted is always available for every search. Then just do this:
index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" | stats sum(persisted) AS Total_Persisted BY host and/or other fields here
The field extraction might be something like this:
REGEX = Total number of manual products persisted\s*-\s*(?<persisted>\d+)