Hi,
I have the below event where i tried to extract field ServerA
Event:
ADMU0509I: The Application Server "serverA" cannot be reached. It appears to be stopped.
Query: source="teststatus"| rex max_match=100 field=_raw "Server\s"(?P<jvm>.*)"\s*cannot\sbe\s(?P<status>.*)"|table jvm,host
Output is showing as "serverA" instead of serverA. I dont want the double quotes, how do i achieve that?
@SS1
You can use backslash before quotes to consider in regex like below-
source="teststatus"| rex max_match=100 field=_raw "Server\s\"(?P<jvm>.*)\"\s*cannot\sbe\s(?P<status>.*)"|table jvm,host
If this helps an upvaote will be appreciated!
Thanks. This solution worked
@SS1
You can use backslash before quotes to consider in regex like below-
source="teststatus"| rex max_match=100 field=_raw "Server\s\"(?P<jvm>.*)\"\s*cannot\sbe\s(?P<status>.*)"|table jvm,host
If this helps an upvaote will be appreciated!