Hi
try to use transaction command, but actionName is empty!
Here is my SPL
| rex "actionName.*\.(?<actionName>\w+\.\w+)\]" | rex "duration\[(?<duration>\d+)"
| rex "transactionId\[(?<transactionId>\w+-\w+-\w+-\w+-\w+)"
|transaction transactionId
| table duration actionName username
Here is the current result:
duration actionName username
171847 ABC
Here is the expected result:
duration actionName username
171847 QueryOnData.Allow ABC
Here is the log:
2022-05-30 12:39:34,262 INFO [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] parameters[] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] username[ABC] startTime[1653898174262]
2022-05-30 12:42:26,109 INFO [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] duration[171847] status[done]
There doesn't appear to be anything wrong with your rex expressions (given the examples you provided). However, you could try it this way
| rex "actionName\[(\w+\.)*(?<actionName>\w+\.\w+)\]"
You have extracted actionName as method - try it this way
| rex "actionName.*\.(?<actionName>\w+\.\w+)\]"
sorry it was typo, modify post. result same and still not work.
There doesn't appear to be anything wrong with your rex expressions (given the examples you provided). However, you could try it this way
| rex "actionName\[(\w+\.)*(?<actionName>\w+\.\w+)\]"
Thank you now actionName show correctly .
I encounter with another strange issue when i use transaction and at the end sort by duration it show highest duration is 15000 but when i remove transaction it show 17000 as highest duration!!!
FYI1:correct value is 17000 and there is no special filter exist here!
FYI2:duration directly print in log i just use transaction to aggregate two lines.
Here is with transaction command:
| rex "actionName.*\.(?<actionName>\w+\.\w+)\]" | rex "duration\[(?<duration>\d+)"
| rex "transactionId\[(?<transactionId>\w+-\w+-\w+-\w+-\w+)"
|transaction transactionId | sort - duration
| table duration actionName username
Here is without transaction:
| rex "actionName.*\.(?<actionName>\w+\.\w+)\]" | rex "duration\[(?<duration>\d+)"
| rex "transactionId\[(?<transactionId>\w+-\w+-\w+-\w+-\w+)"
| sort - duration
| table duration actionName username
any idea?
Thanks