I have event like this from here i have to extract bold name like :
Burp-collab
Qualys_scanner_RPA
SIE-PT-BAU-1
SIE-PT-BAU-2Kali
can any one help me on this
<166>2020-09-11T12: [Originator@6870 sub=Vmsvc.vm:/vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/Burp-Collab/Burp-Collab.vmx opID=1bcac8c3 user=root] |
<13>2020-09-08T05: /vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/Qualys_scanner_RPA/Qualys_scanner_RPA.vmx: Connected to mks-fd |
<164>2020-09-11T13:[Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/SIE-PT-BAU-1/SIE-PT-BAU-1.vmx] Failed to find activation record, event user unknown. |
<166>2020-09-08T05:54:57.060Z siscesxi01.sisc-lab.com Hostd: info hostd[2099583] [Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/SIE-PT-BAU-2Kali/SIE-PT-BAU-2Kali.vmx opID=1bca6b2a user=root] Ticket issued for mks service to user: root |
values will be extracted new field called "newfield"
| rex "(?<newfield>[^\/]+)(?=.vmx)"
| index=yourindex
| rex "(?<newfield>[^\/]+)(?=.vmx)"
| table newfield
values will be extracted new field called "newfield"
| rex "(?<newfield>[^\/]+)(?=.vmx)"
thanx for ur response but i am not getting that specific field
count
<13>2020-09-14T09:15:07Z vmauthd[6227095]: Local connection for | 1 |
<13>2020-09-14T10:28:09Z vmauthd[6232159]: Local connection for | 1 |
<166>2020-09-14T08:58:37.120Z Hostd: info hostd[2099584] [Originator@6876 sub=Libs opID=vim-cmd-c1-6005 user=dcui] Found | 1 |
<166>2020-09-14T08:58:37.120Z Hostd: info hostd[2099584] [Originator@6876 sub=Libs opID=vim-cmd-c1-6005 user=dcui] Starting |
getting result like this
i want only the name of that particular field
Following the previous answer, simply use a stats command:
| index=yourindex
| rex "(?<newfield>[^\/]+)(?=.vmx)"
| stats latest(_raw), count by newfield
if the value matches with regular expression then newfield will have values otherwise no.
the table below doesn't have values you posted in question.
| rex "(?<VMX>[^\/]+)\.vmx"
This one works...thanx for ur help