contextName=olliebot service_name=olliebot source="/bb/logs/vcon/olliebot.log.2017*" AND (PRQS AND submitted)
| rex field=_raw ".*\"drqsNumber\"\:\s(?<DRQS>\d+)\(FIELD5\).*\"routeToGroup\"\:\s(?<Field4>\d+)\(FIELD4\).*PRQS\s(?<PRQS>\d+)\(FIELD6\).*take\s(?<Field1>\S+)\(FIELD1\).*offline\son\s(?<Field2>.*)\(FIELD2\)\sfor\s(?<Field3>.*)\(FIELD3\)"
| eval epochDate=strptime(FIELD2, "%a %b %d %Y %H:%M:%S GMT%z (%Z)")|sort 0 epochDate
| table HOSTNAME , DRQS , PRQS , WINDOW , MAINTENANCE | fillnull value="NULL" | search HOSTNAME!="NULL" AND DRQS!="NULL" AND PRQS!="NULL" AND WINDOW!="NULL" | dedup HOSTNAME
the WINDOW , MAINTENANCE are not rex'ed here.. i think they are already extracted, otherwise, you will need to update the rex query to include them.
converted the date-field FIELD2 to epoch and sorted. hope this is good.. please check and suggest. if values not extracted properly, remove all rex'es and add them one by one, while adding verify the syntax. hope all works fine.
... View more