How to extract field from sentence?


I'm trying to write a field extraction to get the number of hung threads on a WebSphere application server. The log statement looks something like:

[6/15/14 11:07:37:103 CDT] 00000003 ThreadMonitor W WSVR0605W: Thread "WebContainer : 21" (000000a3) has been active for 729415 milliseconds and may be hung. There is/are 3 thread(s) in total in the server that may be hung.

I want to key in on the following section: There is/are *3** thread(s)*

If I pipe search results into the rex, the value is successfully extracted into a field called hungthreadcount:

<search criteria> | rex field=_raw \sThere is\/are \(?<hung_thread_count>.*?\) thread"

However, when I manually enter the regex into the interactive field explorer no matches are found when I hit the "test" I have to enter something specific to extract this value into a field?

Re: How to extract field from sentence?

you are missing double quoted and they are too many escape characters in the regex, especially on the matching parenthesis.


... | rex field=_raw "There is\/are (?<hung_thread_count>\d+) thread"

