Tried below query: Where is no data for any Msgs it displaying zero only for 1st 3 rows remaining rows are displaying null. index=app-index source=application.logs
|rex field= _raw "application :\...
See more...
Tried below query: Where is no data for any Msgs it displaying zero only for 1st 3 rows remaining rows are displaying null. index=app-index source=application.logs
|rex field= _raw "application :\s(?<Application>\w+)"
| rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)"
|chart count over Application by Msgs
|rename "Initial message received with below details" as Income, "Letter published correctley to ATM subject" as ATM, "Letter published correctley to DMM subject" as DMM, "Letter rejected due to: DOUBLE_KEY" as Reject, "Letter rejected due to: UNVALID_LOG" as Rej_log, "Letter rejected due to: UNVALID_DATA_APP" as Rej_app
|table Income Rej_app ATM DMM Reject Rej_log Rej_app
|appendcols
[| makeresults format=csv data="Income, Rej_app, ATM, DMM, Reject, Rej_log, Rej_app
,,,,,
,,,,,
,,,,,"
| fillnull] output: Application ATM DMM Income Rej_app Rej_log Reject Login 10 0 0 2 0 0 Success 12 0 0 1 0 0 Error 23 0 0 11 0 0 Debug 2 3 logout 1 50 error-state 61 20 normal-state 1 10