How to extract field using rex command

philgopaul · ‎02-12-2019

Hi,

I have this sample log and I want to extract the request ID value after the period. Each of those numbers are unique in my log file.

Timeout sending message for request ID.140445678

I've tried various ways but cannot come up with working rex command that would extract those values as a field.

... | rex field=_raw "request <(?w+)>"

Any assistance would be awesome, thanks so much.

woodcock · ‎02-13-2019

Try this:

... | rex "(?<request>\d+)[\r\n\s]*$"

vinod94 · ‎02-13-2019

You can try this,

| makeresults 
| eval data="Timeout sending message for request ID.140445678" 
| rename data as _raw 
| rex "request\sID\.(?P<request_id>.*)"

renjith_nair · ‎02-12-2019

@philgopaul ,

Try

|rex field=_raw "request ID\.(?<request_id>\d+)"

---
What goes around comes around. If it helps, hit it with Karma 🙂

Join the Conversation