topic Re: Erex in #Random

How do I use erex to create fields?

GuillermoRamos — Thu, 10 Mar 2022 16:44:50 GMT

How can I erex a line TRUE, FALSE, TRUE,, FALSE, FALSE, FALSE, , FALSE, FALSE source =" an imported CSV" the multiple true and false on the line have different column names. I am trying to create a label for each true and false following a reference sheet.

Re: Erex

richgalloway — Mon, 29 Nov 2021 16:20:34 GMT

What problem are you trying to solve? Chances are, erex is not the answer (it almost never is), but we need to know what it is you are trying to do.

Re: Erex

GuillermoRamos — Mon, 29 Nov 2021 16:28:25 GMT

So, I have multiple false and trues back to back and each one has a different meaning. I am trying to create fields for each one. For example, the first true/false =indicates if OAM is managed on computer, second true/false = is computer disabled. The way the results populate after indexing are literally TRUE, FALSE, TRUE,, FALSE, FALSE, FALSE, , FALSE, FALSE.

I hope that makes sense.

Re: Erex

richgalloway — Mon, 29 Nov 2021 17:43:52 GMT

There are a couple of ways to do that.

You can use rex at search time.

index=foo | rex "(?<OAM>\w+), (?<disabled>\w+), (?<field3>\w+), (?<field4>\w+), (?<field5>\w+), (?<field6>\w+), (?<field7>\w+), (?<field8>\w+)" | table OAM, disabled field3 field4 field5 field6 field7 field8

Other way is parse it at index-time using a REGEX in transforms.conf:

[parseflags] REGEX = (\w+), (\w+), (\w+), (\w+), (\w+), (\w+), (\w+), (\w+) FORMAT = OAM::$1 disabled::$2 field3::$3 field4::$4 field5::$5 field6::$6 field7::$7 field8::$8

Then invoke that transform in props.conf:

[mysourcetype] TRANFORM-parse = parseflags

Re: Erex

GuillermoRamos — Mon, 29 Nov 2021 18:55:30 GMT

That worked. Thank you

Re: Erex

richgalloway — Mon, 29 Nov 2021 20:19:11 GMT

Which method did you use?

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.