For some background on how the data is structured, it is JSON data that I have ingested a specific way, using a regex line break that works the best for most of the type of metrics I'm trying to find so I cant split the events up differently. Within the JSON there are separate groupings of data that report on specific modules and whether they "pass" or "fail", this is the information I'm trying to pull out. I would like to pull it into a chart to show "this many of "X" passed and this many of "X" failed". Below is a snippet of the JSON data to show what it looks like. there are over 100 of these grouping within a single JSON. I am trying to pull the "Severity" and "CurrentStatus" values to essentially mark the grouping as "Level2-Passed" and then do this for each grouping that is similar, and for "Level1-Passed" "Level1-Failed" and so on. I am able to get the number of "Severity" values and "Current Status" values but have not been able to correlate the two together. {
"ID": "",
"Title": "",
"Rule": "",
"Severity": "LEVEL II",
"Version": "",
"Description": "",
"Location": "",
"KeyName": "",
"KeyType": "",
"ExpectedValue": "",
"OriginalValue": "",
"CurrentValue": "",
"Options": "",
"Comments": "",
"ActionTaken": "",
"CurrentStatus": "PASSED",
"Conflict": ""
}, I have tried using a combo of the following to split the single event into multiple events but have not found a search command that works with this to get the data in a format that will work. | eval EventGroups=split(_raw,"},") I have also tried using a number of combinations of rex and regex search commands similar to the below but have not been able to get them to properly Example: | rex field=EventGroups "(?<LevelI>(.Severity.*?)(LEVEL I\b))"
| rex field=EventGroups "(?<LevelII>(.Severity.*?)(LEVEL II\b))"
| rex field=EventGroups "(?<LevelIII>(.Severity.*?)(LEVEL III\b))"
| rex field=EventGroups "(?<CurrentStatusPASSED>(.CurrentStatus.*?)(PASSED.))"
| rex field=EventGroups "(?<CurrentStatusFAILED>(.CurrentStatus.*?)(\SFAILED.))" And... | rex max_match=0 field=EventGroups "(?<SevCATI_F>(.*?.*\n.*\n.*\n.*\n.*?(\bLEVEL I\b).*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*?\S(\bFAILED\b).*\n.*\n.*?.*))" Any help or advice with this would be greatly appreciated.
... View more