Archive

How do I fetch data from an existing field?

Communicator

I have a field in my log which contains a huge text data with two different formats. I tried to catch a few parts in a new field but was unable to get all the data.

First type
------------------------------------
Timestamp=26/SEP/2018 16:37:38 UTC|DBA_GROUP=X2Oracle_NSS|TOWER=NSS|DB_INSTANCE_NAME=lsrprod|DB_HOST_NAME=ABC|UAID=0|TABLE_OWNER=STAGE|TABLE_NAME=NFMDAT|PARTITION_POSITION=6|PARTITION=P2018|HIGH_VALUE=TTO_DATE(' 2019-01-01 00:00:00', 'SYYYY-MM-DD HH24:MI:SS', 'NLS_CALENDAR=GREGORIAN')|PREV_HIGH_VALUE=TTO_DATE(' 2018-01-01 00:00:00', 'SYYYY-MM-DD HH24:MI:SS', 'NLS_CALENDAR=GREGORIAN')

Second type
-------------------------------------------------
Timestamp=26/SEP/2018 16:01:06 UTC|DBA_GROUP=X2Oracle_GFS|TOWER=GFS|DB_INSTANCE_NAME=ecs02prd|DB_HOST_NAME=ASD|UAID=UDBID-15360|TABLE_OWNER=ECSREFRESH_EXCEPTION|TABLE_NAME=ECS_TRAN_AUDIT_HSTR_BKP|PARTITION_POSITION=27|PARTITION=ECSTRANAUDTHSTR_20170430|HIGH_VALUE=TIMESTAMP' 2017-05-01 00:00:00'|PREV_HIGH_VALUE=TIMESTAMP' 2017-04-01 00:00:00'
partition_check_En_Time=12:01:07 PM
End_Time: Wed Sep 26 12:01:07 EDT 2018

I used the below query to get the new field from above log.

base search  | eval Current_High_Value=substr(HIGH_VALUE, 11, 20) | eval Previous_High_Value=substr(PREV_HIGH_VALUE, 11, 20)

I am getting value properly for CurrentHighValue field but not getting complete data in PreviousHighValue. Its not picking data for second type of log.

0 Karma
1 Solution

Communicator

I have used below query and getting value properly.

base search | eval Current_High_Value=substr(HIGH_VALUE, 11, 20) 
        | rex "^(?:[^ \n]* ){5}(?P<Pre_High_Value>[^']+)"
        | eval Previous_High_Value= case(like(PREV_HIGH_VALUE, "TTO_DATE%"), substr(PREV_HIGH_VALUE, 11, 20), like(PREV_HIGH_VALUE, "TIMESTAMP%"), Pre_High_Value) 

View solution in original post

0 Karma

Communicator

I have used below query and getting value properly.

base search | eval Current_High_Value=substr(HIGH_VALUE, 11, 20) 
        | rex "^(?:[^ \n]* ){5}(?P<Pre_High_Value>[^']+)"
        | eval Previous_High_Value= case(like(PREV_HIGH_VALUE, "TTO_DATE%"), substr(PREV_HIGH_VALUE, 11, 20), like(PREV_HIGH_VALUE, "TIMESTAMP%"), Pre_High_Value) 

View solution in original post

0 Karma

Influencer

You can use rex command to get Previous high value-

rex field=PREVHIGHVALUE "\W+\s+(?\d{4}-\d{2}-\d{2})"

0 Karma

Communicator

Thanks @Vijeta

0 Karma