Hi everyone,
I am stuck in a situation where in my app logs there are two important values(one is a number and other is a text string) are being captured and I need to draw a stats count using these two values.
so here is the base query:
index=Myapp sourcetype=weblogic "ReservationConfirmRS returned errors for TrainId"
| dedup requestId sortBy -_time | timechart count span=1d
the log looks like below:
ReservId=30010632019 billingCurrency=“INR”,Status=7000, Error='ReservationConfirmRS returned errors for TrainId 45732 and reference number null[The trxn could not been confirmed. Please try again. Cause: ]’,travelerType=3
so the 'TrainId' and text in bracket [text-string] would be different, and I need to draw a stats count for these two values.
Please help!
Hi @lazyturtle_,
Thank you, I think below will work for you;
| rex "ReservationConfirmRS\sreturned\serrors\sfor\sTrainId\s(?<TrainId>\d+).+\[(?<errorMsg>[^\]]+)"
| stats count by TrainId errorMsg
Hi @lazyturtle_,
Thank you, I think below will work for you;
| rex "ReservationConfirmRS\sreturned\serrors\sfor\sTrainId\s(?<TrainId>\d+).+\[(?<errorMsg>[^\]]+)"
| stats count by TrainId errorMsg
Hi @scelikok ,
thanks a lot, this worked 🙂
I meant the desired output, what you want to see as a result of these three events.
Hi @scelikok ,
the desired output should be like this:
TrainId | errorMsg | Count |
45732 | The trxn could not been confirmed. Please try again. Cause: | 3 |
12411 | The trxn could not been confirmed. Please try again. Cause: | 2 |
45732 | There is a Stop sale for TrainId: 12411, fromDate: 2021-02-12, toDate: 2021-02-22 | 1 |
12411 | The trxn could not been confirmed. Please try again. Cause: | 7 |
23765 | There was one error in the communication with the reservation system | 1 |
45732 | There was one error in the communication with the reservation system | 1 |
12411 | There was one error in the communication with the reservation system | 1 |
Thank you.
Hi @lazyturtle_,
I think I couldn't get your need. Regex is extracting these values and calculates daily count.
If you can put a sample desired output table based on your last three sample data, I will try again.
ReservId=30010632019 billingCurrency=“INR”,Status=7000, Error='ReservationConfirmRS returned errors for TrainId 45732 and reference number null[The trxn could not been confirmed. Please try again. Cause: ]’,travelerType=3
ReservId=30010632020 billingCurrency=“INR”,Status=6000, Error='ReservationConfirmRS returned errors for TrainId 12411 and reference number null[There is a Stop sale for TrainId: 12411, fromDate: 2021-02-12, toDate: 2021-02-22]',travelerType=2
ReservId=30010632021 billingCurrency=“INR”,Status=7000, Error='ReservationConfirmRS returned errors for TrainId 23765 and reference number null[[There was one error in the communication with the reservation system]',travelerType=3
Hi @lazyturtle_,
Please try below;
| rex "ReservationConfirmRS\sreturned\serrors\sfor\sTrainId\s(?<TrainId>\d+).+\[(?<text_string>[^\]]+)"
| timechart span=1d count(TrainId) TrainId count(text_string) as text_string
hi @scelikok ,
I tried your solution but that didn't give me the desired out put, as I said in the error message the 'TrainId' and error string in the bracket could be different, some of the examples below:
- ReservationConfirmRS returned errors for TrainId 12411 and reference number null[There is a Stop sale for TrainId: 12411, fromDate: 2021-02-12, toDate: 2021-02-22]
- ReservationConfirmRS returned errors for TrainId 12973 and reference number null[The trxn could not been confirmed. Please try again. Cause: ]'
- ReservationConfirmRS returned errors for TrainId 23765 and reference number null[[There was one error in the communication with the reservation system]