index=xyz "The Key is not in cache the source Code:" |rex field=_raw ":(?\w+)" | stats count by imagetype
However, it is giving me output as below:
Imagetype Count
00 14
01 7
02 5
03 11
Instead, I was expecting below :
Imagetype Count
JPEG 1
TIF 05
GIF 07
Appreciate your help on this
2017-08-18T03:34:06+00:00 vxdev-pp03 [8/17/17 23:34:06:045 EDT] 0000d635 PersistenceMo I The Key is not in cache the source Code:JPEG
2017-08-18T03:14:24+00:00 vxpup-pp04 [8/17/17 23:14:24:131 EDT] 0000d61d PersistenceMo I The Key is not in cache the source Code:TIF
2017-08-18T02:10:16+00:00 vxpup-pp05 [8/17/17 22:10:16:009 EDT] 0000d4a9 PersistenceMo I The Key is not in cache the source Code:GIF
2017-08-18T03:44:06+00:00 vxdev-pp03 [8/17/17 23:34:06:045 EDT] 0000d635 PersistenceMo I The Key is not in cache the source Code:JPEG
2017-08-18T03:14:54+00:00 vxpup-pp04 [8/17/17 23:14:24:131 EDT] 0000d61d PersistenceMo I The Key is not in cache the source Code:TIF
Assuming the messages above are the entire event, you could do something like this:
BASE SEARCH | rex field=_raw ":(?<imagetype>\w+)" | stats count by imagetype
index=xyz "The Key is not in cache the source Code:" |rex field=_raw ":(?\w+)" | stats count by imagetype
However, it is giving me o/p as below
imagetype Count
00 14
01 7
02 5
03 11
Instead, I was expecting below :
imagetype count
JPEG 14
TIF 05
GIF 07
Appreciate your help on this
You were missing the name for the capture group (imagetype for example) in the rex expression.
You can't get that result output with the input you gave. Go back and cut/paste the exact input messages into your question.
2017-08-18T03:34:06+00:00 vxdev-pp03 [8/17/17 23:34:06:045 EDT] 0000d635 PersistenceMo I The Key is not in cache the source Code:JPEG
2017-08-18T03:14:24+00:00 vxpup-pp04 [8/17/17 23:14:24:131 EDT] 0000d61d PersistenceMo I The Key is not in cache the source Code:TIF
2017-08-18T02:10:16+00:00 vxpup-pp05 [8/17/17 22:10:16:009 EDT] 0000d4a9 PersistenceMo I The Key is not in cache the source Code:GIF
2017-08-18T03:44:06+00:00 vxdev-pp03 [8/17/17 23:34:06:045 EDT] 0000d635 PersistenceMo I The Key is not in cache the source Code:JPEG
2017-08-18T03:14:54+00:00 vxpup-pp04 [8/17/17 23:14:24:131 EDT] 0000d61d PersistenceMo I The Key is not in cache the source Code:TIF
above is my exact input
Try this
<.search> |rex field=_raw "(Code:(?P\w+))" |stats count by Code
Tried . it throw below error
Error in 'rex' command: Encountered the following error while compiling the regex '(Code:(?P\w+))': Regex: unrecognized character after (?P
BASE SEARCH |rex field=_raw "(Code:(?P<Code>\w+))" |stats count by Code
Thank you Surya & Morris for your help .
it works now