i have logs that has a keyword "*CLP" reapeated multiple times in each event . i am trying the get the total counts of CLP in each event. here is the query i am using. Problem i am facing is this query is working fine with small size events but when it comes to large events with more CLP counts, the results are not acuurate. please help me to get the acuuate count?
index="idx" source="*TAPSSC_123.123" "*CLP*" |eval tokens = lower(replace(_raw, "\W+", " ")) |makemv tokens |eval matches = mvfilter(match(tokens, "^clp$")) |eval count_CLP = mvcount(matches) |stats sum(count_CLP) as CLP_count by source
log sample: you will see CLP keyword like that reapated multiple times in a event.
abvfyatfpwutnqwa25~CLP*k123456*1REF*6T*P1282158997301~AMT*c120~CLP*P11802586130*1*356612125491516
↧