需要提取客户msisdn(From),他们只发送了一条SMS(已收到)并且也“停止”了。日志低于 -
5/27/18 11:38:29.598 PM [2018-27-05 23:38:29.598 UTC] INFO pool-1-thread-3 [receivedSmsFileLogger] - Received =“JE S8 TELMA MALADE“,From =”0765473387“,Valid =”false“host = Vapp01SN source = D:\ MIP \ Logs \ SMSC \ Cycle1 \ received_sms.log sourcetype = MIP_Received_SMS
5/27/18 9:28:30.569 PM [2018-27-05 21:28:30.569 UTC] INFO pool-1-thread-2 [receivedSmsFileLogger] - Received = “''STOP''”,From =“0765757431”,Valid =“false”host = Vapp01SN source = D:\ MIP \ Logs \ SMSC \ Cycle1 \ received_sms.log sourcetype = MIP_Received_SMS
5/27/18 9:26:25.034 PM [2018-27-05 21:26:25.034 UTC] INFO pool-1-thread-1 [receivedSmsFileLogger] - Received = “1OUI”,From =“0765757431”,Valid =“false”host = Vapp01SN source = D:\ MIP \ Logs \ SMSC \ Cycle1 \ received_sms.log sourcetype = MIP_Received_SMS
5/27/18 9:06:36.889 PM [2018-27-05 21:06:36.889 UTC] INFO pool-1-thread-3 [receivedSmsFileLogger] - Received = “STOP”,From =“0766108902”,Valid =“true”host = Vapp01SN source = D:\ MIP \ Logs \ SMSC \ Cycle1 \ received_sms.log sourcetype = MIP_Received_SMS
答案 0 :(得分:0)
试试这个
index=foo sourcetype=bar
| rex "From\s*=\s*\\"(?<msisdn>\d+)"
| rex "Received\s*=\s*\\"(?<msg>[^\\"]+)"
| stats count(msg) as msgCount values(msg) as Msgs by msisdn
| where msgCount=1 AND (mvindex(0,Msgs)=="STOP")