Hi All, I have one log that is ABC and it is present in sl-sfdc api and have another log EFG that is present in sl-gcdm api now I want to see the properties and error code fields which is present in EFG log but it has many other logs coming from different apis also . I only want the log which is having the correlationId same in ABC then it should check the other log .And then I will use this regular expression to get the fields, like spath. Currently I am using this query
index=whcrm (
sourcetype=xl-sfdcapi ("Create / Update Consents for gcid" OR "Failure while Create / Update Consents for gcid" OR "Create / Update Consents done")
) OR (
sourcetype=sl-gcdm-api ("Error in sync-consent-dataFlow:")
)
| rename properties.correlationId as correlationId
| rex field=_raw "correlationId: (?<correlationId>[^\s]+)"
| eval is_success=if(match(_raw, "Create / Update Consents done"), 1, 0)
| eval is_failed=if(match(_raw, "Failure while Create / Update Consents for gcid"), 1, 0)
| eval is_error=if(match(_raw, "Error in sync-consent-dataFlow:"), 1, 0)
| stats sum(is_success) as Success_Count, sum(is_failed) as Failed_Count,
| eval Total_Consents = Success_Count + Failed_Count
| table Total_Consents, Success_Count, Failed_Count
first one is the ABC log and second is the EFG also I want to use this regular expression in between to get the details
| rex field=message "(?<json_ext>\{[\w\W]*\})"
| spath input=json_ext
Or there can be any other way to write the query and get the counts please help . Thanks in Advance
... View more