I have log lines of the form (relevant excerpt only, they contain also hostname, timestamp, etc):
data_name: A B C D E
data_name: A
data_name: A C D
basically, data_name is a collection of strings in a set that may or may not be present for a particular log line.
I want to extract several things:
1) the entries that have A
2) the entries that have A but not C in the same line
3) all possible entries
and display their count (and e.g. hostname) in a chart.
I've tried:
( data_name AND A ) OR ( data_name AND A NOT B ) | dedup host
but this gives me results that are not distinguishable. How can I rename the first predicate (left of OR) so I can apply a "count" to it, and do the same for the second predicate (right of OR) and the third, and the fourth, etc.
Is this the right approach?
↧