Извлечение определенных значений поля только с одним значением

Question

Извлечение определенных значений поля только с одним значением

Нужно извлекать клиентов msisdn (From), которые отправили только одно SMS (Received) и что тоже "STOP". Логи ниже -

27.05.18:38:29.598 PM [2018-27-05 23:38:29.598 UTC] INFO pool-1-thread-3 [receiveSmsFileLogger] - Received = "JE S8 TELMA MALADE", From = "0765473387", Valid = "false" host = Vapp01SN source = D:\MIP\Logs\SMSC\Cycle1\receive_sms.log sourcetype = MIP_Received_SMS
27.05.18:28:30.569 PM [2018-27-05 21:28:30.569 UTC] INFO pool-1-thread-2 [receiveSmsFileLogger] - Received = "''STOP''", From = "0765757431", Valid = "false" host = Vapp01SN source = D:\MIP\Logs\SMSC\Cycle1\receive_sms.log sourcetype = MIP_Received_SMS
27.05.18:26:25.034 PM [2018-27-05 21:26:25.034 UTC] INFO pool-1-thread-1 [receiveSmsFileLogger] - Received = "1OUI", From = "0765757431", Valid = "ложный" хост = источник Vapp01SN = D: \ MIP \ Logs \ SMSC \ Cycle1 \ receive_sms.log sourcetype = MIP_Received_SMS
27.05.18:06:36.889 PM [2018-27-05 21:06:36.889 UTC] INFO pool-1-thread-3 [receiveSmsFileLogger] - Received = "STOP", From = "0766108902", Valid = "истинный" хост = источник Vapp01SN = D: \ MIP \ Logs \ SMSC \ Cycle1 \ receive_sms.log sourcetype = MIP_Received_SMS

0

splunk splunk-query splunk-calculation

Источник

user5644390 28 май '18 в 05:48

1 ответ

Другие вопросы по тегам splunk splunk-query splunk-calculation

user2227420 28 май '18 в 13:12 2018-05-28 13:12 · Answer 1 · 2018-05-28 13:12

Попробуй это

index=foo sourcetype=bar 
| rex "From\s*=\s*\\"(?<msisdn>\d+)" 
| rex "Received\s*=\s*\\"(?<msg>[^\\"]+)" 
| stats count(msg) as msgCount values(msg) as Msgs by msisdn 
| where msgCount=1 AND (mvindex(0,Msgs)=="STOP")

0

Источник

user2227420 28 май '18 в 13:12