Hello,
In my search I'm trying to get a series of events (transact - which is in the _raw field) counted out by another field in _raw for GET or POST. This is what I'm currently using:
host="EXAMPLE-*" sourcetype=Hex4 /ps/* | rex mode=sed field=_raw "s/(\S+)(tx_\S+)(\/\S+)/\1trans\3/g" | rex mode=sed field=_raw "s/(\S+)(nce_\S+)(\/\S+)/\1nce\3/g" | rex mode=sed field=_raw "s/(\S+)(dce_\S+)(\/\S+)/\1dvc\3/g" | rex "POST (?<transact>\S+)" | stats count(eval(method="GET")) as GET, count(eval(method="POST")) as POST by transact
It does bring up the transactions and columns for GET and POST, but the counts are blank so I know I'm doing something wrong.
Any help would be greatly appreciated!
Thank you!
Check that the method field has actually been extracted