I have one log like:
log1 tid=,"tid":"abcd";
And another log like:
log2 userid=11 tid=abcd
I want to get the count of results where rexed tid in log1 matches tid in log2, deduped by userid.
I tried:
log2 [search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | eval tid1=tid | dedup userid] | stats count
However it returned 0. though there should be more.
Like this:
index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND ("log1" OR "log2")
| rex "tid=,\"tid\":\"(?<tid>.*)\";"
| eval which=if(searchmatch("log1"), "log1", "log2")
| dedup userid which
| stats dc(which) AS which_count BY tid
| where which_count==2
e.g.
| makeresults
| eval _raw="userid=11 tid=abcd"
| appendpipe
[eval _raw="userid=12 tid=abce"]
| kv
| search
[| makeresults
| eval _raw="tid=,\"tid\":\"abcd\";"
| rex field=_raw "\"tid\":\"(?<tid1>.*)\";"
| rename tid1 as query]
Recommend:
log2
| kv
| search [ search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | rename tid1 as query]
| stats count by userid
Hi, @infcl
maybe, log1 does not have userid
. so, dedup userid
can't works and result is "0"
I don't know the fields extracted, I use kv
if log2 has the field userid
, kv
is not needed
Unfortunately it didn't work.
log2 always has userid
.
Even
log2
| search [ search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | rename tid1 as query]
did not return any results.
When I search log2
and log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1
individually, they return results, so those portions are correct.
log2 "tid1 value"
return results?
my search is same logic search.
I think you say
search log2
⇨ returen results
search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1
⇨ returen results
OK?
Yes that's what I mean, the individual searches are correct. But the matching is not.
If log2 tid
field is extracted,
log2 [search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 |rename tid1 as tid]
This query should return results.
if is returns "0" , there really is no result.
i don't know if this will make a difference, but your regex is missing escapes on your some of your characters. Try | rex "tid\"\:\"(?<tid1>[^\"]+)"
@jscraig2006 that shouldn't be a problem, because log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1
does return results.