Jul 10 06:59:22 icopenstack01 clamav[9040]: Infected files: 0
source = /var/log/remote/icopenstack01.log sourcetype = icopenstack-too_small
how to rex field the number after Infected files:
"Infected files:" | rex field=_raw "Infected files: (?\d+.)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")
i use this query but Infected field is empty
You need to name the field you extracted (?P<Infected>\d+)
:
"Infected files:" | rex field=_raw "Infected files: (?P<Infected>\d+)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")
I believe an additional dot at the end of your regex (after \d+
) is causing your field extractions to fail. Use exact regex given by cpetterborg.
Also, when you post code/search, do remember to (after selecting the code/search) click on 101010
button or press Ctrl+K to format it, else, you'll lose special characters like capturing groups.
You need to name the field you extracted (?P<Infected>\d+)
:
"Infected files:" | rex field=_raw "Infected files: (?P<Infected>\d+)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")
"Infected files:" | rex field=_raw "Infected files: (?\d*)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")
after tried many times, discover d* can solve this