How should I refine this query so that I can get every fields in one table without using join or append or any other sub search.
(index=whcrm OR index=whcrm_int)sourcetype="bmw-sl-gcdm-int-api" ("S...
See more...
How should I refine this query so that I can get every fields in one table without using join or append or any other sub search.
(index=whcrm OR index=whcrm_int)sourcetype="bmw-sl-gcdm-int-api" ("Sending POST consents to *" OR "Create / Update Consents done" OR "Error in sync-consent-dataFlow:*")
| stats count(eval(match(_raw, "Sending POST consents to *"))) as Total,
count(eval(match(_raw, "Create / Update Consents done"))) as Success,
count(eval(match(_raw, "Error in sync-consent-dataFlow:*"))) as Error
| eval ErrorRate = round((Error / TotalReceived) * 100, 2)
| table Total, Success, Error, ErrorRate
| append
[ search (index=whcrm OR index=whcrm_int) (sourcetype="bmw-sl-gcdm-int-api" ("Sending POST consents to *" OR "Create / Update Consents done" OR "Error in sync-consent-dataFlow:*"))
| rex field=message ": (?<json>\{[\w\W]*\})$"
| rename properties.correlationId as correlationId
| rename properties.gcid as GCID
| rename properties.gcid as errorcode
| rename properties.entity as entity
| rename properties.country as country
| rename properties.targetSystem as target_system
| table correlationId GCID errorcode entity country target_system
]