I'm trying to write a field extraction to get the number of hung threads on a WebSphere application server. The log statement looks something like:
[6/15/14 11:07:37:103 CDT] 00000003 ThreadMonitor W WSVR0605W: Thread "WebContainer : 21" (000000a3) has been active for 729415 milliseconds and may be hung. There is/are 3 thread(s) in total in the server that may be hung.
I want to key in on the following section: There is/are *3** thread(s)*
If I pipe search results into the rex, the value is successfully extracted into a field called hungthreadcount:
<search criteria> | rex field=_raw \sThere is\/are \(?<hung_thread_count>.*?\) thread"
However, when I manually enter the regex into the interactive field explorer no matches are found when I hit the "test" button...do I have to enter something specific to extract this value into a field?