Hi team,
message_id status time
2020-01-21T13:09:14.416164Z PROCESSED 2020-02-19T01:50:05.55630875Z 2020-01-21T13:09:14.416164Z PROCESSING 2020-02-19T01:50:04.621606854Z 2020-01-21T13:09:44.586501Z ERROR 2020-02-19T01:50:04.305742277Z 2020-01-21T13:09:44.586501Z PROCESSING 2020-02-19T01:50:04.233225192Z 2020-01-21T13:09:44.586416Z PROCESSED 2020-02-19T01:50:04.142651435Z 2020-01-21T13:09:44.586416Z PROCESSING 2020-02-19T01:50:03.826457927Z 2020-01-21T13:09:44.586321Z PROCESSED 2020-02-19T01:50:03.745964666Z 2020-01-21T13:09:44.586321Z PROCESSING 2020-02-19T01:50:03.449583679Z 2020-01-21T13:09:44.586190Z PROCESSED 2020-02-19T01:50:03.337887858Z 2020-01-21T13:09:44.586190Z PROCESSING 2020-02-19T01:50:03.086329734Z 2020-01-21T13:09:44.586063Z PROCESSED 2020-02-19T01:50:03.00531639Z 2020-01-21T13:09:44.586063Z PROCESSING 2020-02-19T01:50:02.735821778Z
I have a three columns: message_id, status, time I need to get the count for status column like PROCESSED = ? PROCESSING = ? ERROR = ?
And finally, once we will get the count for ERROR,Processed,Processing then i need to do the subtraction like below: Total = ERROR+PROCESSED-PROCESSING Total = ?
I'm using below query to get the total but it does not work::
|rex field=log ".* Updated the Message Id : (?[^ ]). status : (?.*)" | table message_id, status, time | stats count by status | eval total = ERROR + PROCESSED - PROCESSING
... View more