How to discard extra text from a single line in ev...

Kumar2 · ‎12-06-2021

Example: Mynameissachintendulkar .Except sachin I need to remove remaining all text .please help me with the query. Thanks in Advance

Kumar2 · ‎12-06-2021

Eg: mynameisgautamkrishna .after extracting name=gautam .now I have to Delete everything Except Gautam and only name (Gautam) will display in events

.

mynameisgautamkrishna

After Ingest and Extract Name=Gautam

Gautam should display in Events as well as in corresponding Interesting field (Name)

gcusello · ‎12-06-2021

you have to identify a rule to extract the field to display: e.g. take all after "mynameis".

In your sample, it's easy to understand where the field sarts but it's difficoult to understand where the field finishes:

| rex "mynameis(?<name>\w+)"

if the number of chars is fixed (e.g. 8), you could use something like this

| rex "mynameis(?<name>\w{8})"

Ciao.

Giuseppe

gcusello · ‎12-06-2021

what do you mean with "discard"?

are you speaking of discard before indexing or discard at search time?

Could you share some sample of your logs?

Ciao.

Giuseppe

Kumar2 · ‎12-06-2021

Discard at the Search time sir

gcusello · ‎12-06-2021

if you have a rule for the not displaying part (e.g. all after Except), you could create a regex like this:

| rex "^(?<part_to_display>.*)Except"

to extract the part of _raw to display.

If you could share some sample I could help you more.

Ciao.

Giuseppe

How to discard extra text from a single line in events?