我有以下搜索:
my search | eval LINE=(MESSAGE) | where MESSAGE LIKE "Process : Hp:%"
| stats values(DATETIME) as Date values(LINE) as Status
该搜索得到以下结果:
Date Status
2023-10-31 Process : Hp: N1 - NOEAST WorkId: 9 Numbers: 209 Cases: 224 Lines: 465
2023-10-31 Process : Hp: N1 - NOEAST WorkId: 9 Numbers: 499 Cases: 577 Lines: 954
2023-11-02 Process : Hp: N2 - NOEAST WorkId: 13 Numbers: 178 Cases: 230 Lines: 376
2023-11-03 Process : Hp: N2 - NOEAST WorkId: 13 Numbers: 466 Cases: 497 Lines: 725
2023-11-03 Process : Hp: O1 - SOWEST WorkId: 11 Numbers: 182 Cases: 275 Lines: 619
我需要进一步提取才能得到以下结果:
HP Total Numbers Total Cases Total Lines
N1 - NOEAST 9 708 801 1419
N2 - NOEAST 13 644 727 1101
O1 - SOWEST 11 182 275 619
是否可以使用子搜索和正则表达式来获取我必须添加在一起的字符串部分的索引来获得我想要的结果?如果是这样,有人可以给我一个开始的例子吗?或者有没有更简单的方法来一起完成这一切?
您可以使用
rexsumlocationWorkIdmy search | where MESSAGE LIKE "Process : Hp:%"
| rex field=MESSAGE "Process : Hp: (?<HP>\w+\s-\s\w+)\sWorkId:\s(?<WorkId>\d+)\sNumbers:\s(?<Numbers>\d+)\sCases:\s(?<Cases>\d+)\sLines:\s(?<Lines>\d+)"
| stats sum(Numbers) as "Total Numbers", sum(Cases) as "Total Cases", sum(Lines) as "Total Lines" by HP, WorkId
| eval HP=HP." ".WorkId
| fields - WorkId