I have 4 strings which are inside these tags OrderMessage
1) "Missed Delivery cut-off, Redated to <>"
2) "Existing account, Changed phone from <> to <>"
3) "Flagged as HLD"
4) "Flagged as FRD"
The date and phone number will be different but the string will be fixed each time. So I need a search which brings back a timechart count of how many times this string is logged.
My current search brings back 3 of these strings but does not include the last one. I need the last "Flagged as FRD" string to be counted.
index="uvtrans" "<a:OrderMessage>*</a:OrderMessage>"
NOT "<a:OrderMessage>OK</a:OrderMessage>"
| rex "\<a:OrderMessage\>(?P<Phrase>.*?)\<V\a:OrderMessage\>"
| eval Phrase=case(
match(Phrase,"Missed Delivery cut-off, Redated to"),
"Missed Delivery cut-off, Redated to <<Date>>",
match(Phrase,"Existing account, Changed phone from "),
"Existing account, Changed phone from <<PhoneNumber>> to <<PhoneNumber>>",
match(Phrase, "Customer Master flagged as HLD."),
"Flagged as HLD",
match(Phrase,"Customer Master flagged as FRD."),
"Flagged as FRD")
| timechart span=1week count by Phrase
Try this, it may not work, but it may reveal the problem:
index="uvtrans" "<a:OrderMessage>*</a:OrderMessage>"
NOT "<a:OrderMessage>OK</a:OrderMessage>"
| rex "\<a:OrderMessage\>(?P<Phrase>.*?)\<\a:OrderMessage\>"
| eval newPhrase=case(
match(Phrase,"Missed Delivery cut-off, Redated to"),
"Missed Delivery cut-off, Redated to <<Date>>",
match(Phrase,"Existing account, Changed phone from "),
"Existing account, Changed phone from <<PhoneNumber>> to <<PhoneNumber>>",
match(Phrase, "Customer Master flagged as HLD."),
"Flagged as HLD",
match(Phrase,"Customer Master flagged as FRD."),
"Flagged as FRD",
1==1,"No match")
| timechart span=1week count by newPhrase
Instead of the timechart, you might just want to do stats count by newPhrase Phrase
to see what is happening.
Try this, it may not work, but it may reveal the problem:
index="uvtrans" "<a:OrderMessage>*</a:OrderMessage>"
NOT "<a:OrderMessage>OK</a:OrderMessage>"
| rex "\<a:OrderMessage\>(?P<Phrase>.*?)\<\a:OrderMessage\>"
| eval newPhrase=case(
match(Phrase,"Missed Delivery cut-off, Redated to"),
"Missed Delivery cut-off, Redated to <<Date>>",
match(Phrase,"Existing account, Changed phone from "),
"Existing account, Changed phone from <<PhoneNumber>> to <<PhoneNumber>>",
match(Phrase, "Customer Master flagged as HLD."),
"Flagged as HLD",
match(Phrase,"Customer Master flagged as FRD."),
"Flagged as FRD",
1==1,"No match")
| timechart span=1week count by newPhrase
Instead of the timechart, you might just want to do stats count by newPhrase Phrase
to see what is happening.
Thanks for your response. I tried your search and I'm getting the following error
Error in 'eval' command: The expression is malformed. Expected ).
I'm not sure where the missing ( is
Can you refresh the page and try again? The first time I pasted it, I had a typo. I am looking at the command now, and I am not seeing a missing )
Just found a missing comma though!
Now fixed!
Yes your search works now!
The only thing now is that its combining all the OrderMessages and not sorting them by type. Also the Y-axis and legend was titled "No Match"
Sounds like your match
functions are not matching the data then - or perhaps the rex
command is not working as you expect. I would run
index="uvtrans" "<a:OrderMessage>*</a:OrderMessage>"
NOT "<a:OrderMessage>OK</a:OrderMessage>"
| rex "\<a:OrderMessage\>(?P<Phrase>.*?)\</a:OrderMessage\>"
| eval newPhrase=case(
match(Phrase,"Missed Delivery cut-off, Redated to"),
"Missed Delivery cut-off, Redated to <<Date>>",
match(Phrase,"Existing account, Changed phone from "),
"Existing account, Changed phone from <<PhoneNumber>> to <<PhoneNumber>>",
match(Phrase, "Customer Master flagged as HLD."),
"Flagged as HLD",
match(Phrase,"Customer Master flagged as FRD."),
"Flagged as FRD",
1==1,"No match")
| table Phrase newPhrase _raw
To get a better idea of what is happening. I also just found a typo in the rex
command!
Didn't you post this question yesterday? Why not expand your question there?
http://answers.splunk.com/answers/228167/how-to-extract-4-different-strings-with-rex-count.html
It's the same question with a different approach. I'm not sure if it's possible to make regex which will return what I was looking for. The search above returns 75% of what I'm looking for using match/case
Try posting a longer list of real data to test against. If it is really as simple as you say, just extracting one of four strings before a set of numbers, regex absolutely can do all of this, in one rex command even
Could you help getting this last value working for the match/case? I feel like I'm very close to getting this working and believe this way will be faster than redacting sensitive information and sharing info to test against
match(Phrase,"Customer Master flagged as FRD.")
The string in double quotes is treated as regular expression. So avoid using dots and if possible copy the exact string from your logs.
Took out all the periods in double quotes and still no luck..
Well no one will know what you're doing wrong until you post sample data, because your last match is the same as your third match except for the letters FRD and HLD. No one wants your sensitive information, it just makes answering the question easier when there is data to validate a potential answer against.
Try searching through your data and see if the the string "Customer Master flagged as FRD." is truly the correct value to match against the phrase.
I currently have 12 values (YTD) that have "Pulled ship date of 04/10/15 on Express because Customer Master flagged as HLD.
I have 1 value (YTD) "Pulled ship date of 02/25/15 on Express because Customer Master flagged as FRD"
My last match has a case value of match(Phrase,"Customer Master flagged as FRD."),"Flagged as FRD")
so intuition tells me that it should work. Do you see anything wrong with how I have it set up? Thanks for the help so far