Hi @gcusello Yes for that i used stats values of filed name .But i cant able to seperate the error and succes file This is my new query : index=mulesoft environment=* (applicationName IN ("Test...
See more...
Hi @gcusello Yes for that i used stats values of filed name .But i cant able to seperate the error and succes file This is my new query : index=mulesoft environment=* (applicationName IN ("Test"))
| stats values(content.FileList{}) as FileList values(content.FileName) as Filename values(content.Filename) as filename1 min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY correlationId applicationName
| eval Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS")
| eval SuccessFileName=mvdedup(mvfilter(match(message, "%succesfully*") OR match(message, "Summary of all Batch*") ) )|eval SuccessFileName= coalesce(Filename,filename1)
| eval FailureFileName=mvdedup(mvfilter(match(priority, "WARN") OR match(priority, "ERROR") ) )|eval FailureFileName= coalesce(Filename,filename1)|table SuccessFileName FailureFileName