Извлечение определенных значений поля только с одним значением

Question

Необходимо извлечь клиентов msisdn (From), которые отправили только одно SMS (Received), и это тоже «STOP».Журналы находятся ниже -

5/27/18 11: 38: 29.598 PM [2018-27-05 23: 38: 29.598 UTC] INFO pool-1-thread-3 [receiveSmsFileLogger] - Получено= "JE S8 TELMA MALADE", From = "0765473387", Valid = "false" host = Vapp01SN source = D: \ MIP \ Logs \ SMSC \ Cycle1 \ receive_sms.log sourcetype = MIP_Received_SMS

5/27/ 18 9: 28: 30.569 PM [2018-27-05 21: 28: 30.569 UTC] INFO pool-1-thread-2 [receiveSmsFileLogger] - Received = "'' STOP ''", From = "0765757431", Действительный= "ложный" хост = источник Vapp01SN = D: \ MIP \ Logs \ SMSC \ Cycle1 \ receive_sms.log sourcetype = MIP_Received_SMS

5/27/18 9: 26: 25,034 PM [2018-27-05 21: 26: 25.034 UTC] INFO pool-1-thread-1 [receiveSmsFileLogger] - Received = "1OUI", From = "0765757431", Valid = "false" host = Vapp01SN source = D: \ MIP \ Logs \ SMSC \ Cycle1\ receive_sms.log sourcetype = MIP_Received_SMS

5/27/18 9: 06: 36.889 PM [2018-27-05 21: 06: 36.889 UTC] ИНФОРМАЦИЯ pool-1-thread-3 [receiveSmsFileLogger] - Получено= "STOP", From = "0766108902", Действительный = "true "host = Vapp01SN source = D: \ MIP \ Logs \ SMSC \ Cycle1 \ receive_sms.log sourcetype = MIP_Received_SMS

Answer 1

Попробуйте это

index=foo sourcetype=bar 
| rex "From\s*=\s*\\"(?<msisdn>\d+)" 
| rex "Received\s*=\s*\\"(?<msg>[^\\"]+)" 
| stats count(msg) as msgCount values(msg) as Msgs by msisdn 
| where msgCount=1 AND (mvindex(0,Msgs)=="STOP")