Hi @super_edition , at first don't use the search command after the main search because your search will be slower: (index= index_1 OR index= index_2) (kubernetes_namespace="kube_ns" OR openshift_n...
See more...
Hi @super_edition , at first don't use the search command after the main search because your search will be slower: (index= index_1 OR index= index_2) (kubernetes_namespace="kube_ns" OR openshift_namespace="ose_ns") (logger="PaymentErrorHandler" OR logger=PaymentStatusClientImpl") "Did not observe any item or terminal signal within"
| spath "paymentStatusResponse.orderCode"
| eval clusters=coalesce(openshift_cluster, kubernetes_cluster)
| stats values(clusters) as cluster, values(host) as hostname, count(host) as count, values(correlation-id{}) as corr_id, values(paymentStatusResponse.orderCode) as order_code and the asterisk isn't mandatory in a string like your one. Then review the use of spath command at https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchReference/Spath : (index= index_1 OR index= index_2) (kubernetes_namespace="kube_ns" OR openshift_namespace="ose_ns") (logger="PaymentErrorHandler" OR logger=PaymentStatusClientImpl") "Did not observe any item or terminal signal within"
| spath output=orderCode path=paymentStatusResponse.orderCode
| eval clusters=coalesce(openshift_cluster, kubernetes_cluster)
| stats
values(clusters) as cluster
values(host) as hostname
count(host) as count
values(correlation-id{}) as corr_id
values(orderCode) as order_code Ciao. Giuseppe