About pjdwyer

pjdwyer · ‎07-05-2018

The problem had something to do with the rex command. This was my rex command: | rex field=_raw "Issuer=\"(?.+)\";File" Some of the variables around the Issuer variable just were not being caught, but when I changed it to this: | rex field=_raw "Issuer=(?.+);File" Everything gets caught. I believe this is a bug because I can have the '\"' on either side, but not both. I also tried using '\S' on both sides and that also does not capture everything. It also is not an issue with the string being captured because looking at the stats I can see that the number of individual Issuers caught does not change, but the number each individual one appears gets lowered slightly.

mlui_2 · ‎06-19-2018

index=java location=APICall api_method=POST Duration |timechart span=5m perc95(Duration) as P95| where P95> 30000ms

pjdwyer · ‎06-28-2018

Thank you so much! The idea to capture the alerts then expand them and work from there worked perfectly with my original method. I tried to use yours, but I think the max_match=0 on the ip and date capture was breaking it, and the time was not subtracting to give a proper difference. Thank you again!

somesoni2 · ‎06-13-2018

They are multi-valued field, so use eval-mvzip. (See @renjith.nair's comment for syntax OR this)

Posts	10
Solutions	2
Karma Given	5
Karma Received	1
Member Since	‎06-13-2018

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

How do you see events where a variable's value is ...

How would you do a computation between a single va...

How do you concatenate strings of two multi-value ...

Re: How do you see events where a variable's value...

Re: How do I set an alert when 95th percentile is ...

Re: How would you do a computation between a singl...

Re: How do you concatenate strings of two multi-va...

Join the Conversation