topic Re: Extracting fields in Alerting

Extracting fields

MicMoo — Tue, 03 Aug 2021 03:12:32 GMT

I have the following log

2021-08-03T14:12:40,872 th=foo cl=bla p=INFO {"tag":"bla","goo":"SPA","msg":{"dir":"in","correlation":"2035456876870723587526","pack":"ebcdic","0":"1234","3":"001234","4":"000000001234","6":"000000001234","7":"0803141240","11":"521464","41":"51400055","47":"ERT0001234000\\ARDABABDGDG\\GRE1234\\VTE01123400824\\GDE00\\SSER\\Ort612348\\Ort072\\rtI0\\","49":"124","61":"12340000004"}}

I would like to extract the two fields in RED and Pink and rename field to Co

The fields in BOLD GREEN will be key and must be present, rest might or might not.

This is what I got so far

index=bla | rex \"47\":\"*ARD(?<CODA>.{4})

however this is not working and filed is not getting populated.

Thank you

Re: Extracting fields

venkatasri — Tue, 03 Aug 2021 03:22:12 GMT

@MicMoo Can you try this?

<your_search> | rex "47\".+?\\\\ARD(?<red>\w{4})(?<pink>\w{4})"

Re: Extracting fields

MicMoo — Tue, 03 Aug 2021 03:39:26 GMT

Thank you @venkatasri , nearly there , when I use what you suggested nothing is extracted , however if I remove the "ARD" string , red and pink where populated but not all cases with the correct info

Re: Extracting fields

venkatasri — Tue, 03 Aug 2021 03:59:41 GMT

Can you share the samples that's not working.

Re: Extracting fields

MicMoo — Tue, 03 Aug 2021 04:10:34 GMT

Solved, should have simplified my search

\\\\ARD(?<RED>\w{4})(?<PINK>\w{4})