Hi all,
I have created two different search as below :
index="nbtktfed44971" sourcetype="nbtktfed" "-I" "-c" "-l" "-f"
| rex "\] (?<JobName>\w+)"
| rex "-c (?<Channel>\w+)"
| rex "-f (?<FilePath>.+)\s"
AND
index="nbtktfed44971" sourcetype="nbtktfed" "Malformed message"
| rex "Readable Payload {\s*(?<ReadablePayload>[^}]+)[^{]+{ (?<Reason>[^}]+)[^{]+{(?<RejectionType>[^}]+)[^{]+{(?<CurrentLine>[^}]+)"
| rex field=Reason "^(?<Reason_message>.*)."
| rex field=Reason "Error at (?<Error_location>.*)"
| rex field=Reason "Error in segment (?<Error_segment>.*)."
| rex field=Reason "Error in group Group id: (?<Error_group>.*)."
| rex field=Reason "Converted segments: (?<Converted_segments>.*)"
| rex field=Reason "Cannot convert CSC from here==>(?<Error_CSC_location>.*)"
I want for example to display Reason message by job name. How can i do that ?
Hello
Just convert your rex commands into Field Extractions. You can do that either with the visual Tool by selecting an Event -> Event Actions -> Extract Fields
. Or via the Navigation: Settings -> Fields -> Field extractions
.
After the field have been extracted automatically you are able to use such a search:
index="nbtktfed44971" sourcetype="nbtktfed" (("-I" "-c" "-l" "-f") OR ("Malformed message"))
Hello
Just convert your rex commands into Field Extractions. You can do that either with the visual Tool by selecting an Event -> Event Actions -> Extract Fields
. Or via the Navigation: Settings -> Fields -> Field extractions
.
After the field have been extracted automatically you are able to use such a search:
index="nbtktfed44971" sourcetype="nbtktfed" (("-I" "-c" "-l" "-f") OR ("Malformed message"))
I found a way to do this.
index="nbtktfed44971" sourcetype="nbtktfed" -I -c -l -f
| join type=outer
[ search index="nbtktfed44971" sourcetype="nbtktfed" "Malformed message"
| fields Reason]
| fields JobName, Reason
| table JobName, Reason
Thanks, i was able to extract fields from first search, but not the second.
In the second command i use rex on field "reason". When i use field extraction i'm not able to write a correct regex to extract all the fields...
Now i extracted all my fields using regex.
But i'm still not able to display a fields from one line with a field from another line.
For example, i have the following lines of logs:
timestamp [status] log log log log Name log log log
timestamp [status] log : log
log : log
infob : valueb
And i want to create visualisations, table, report, statistic of Name by valueb. Is it possible ?
Hey.
It should be possible by using the EXTRACT
from props.conf
EXTRACT-<class> = [<regex>|<regex> in <src_field>]
* Use '<regex> in <src_field>' to match the regex against the values of a
specific field. Otherwise it just matches against _raw (all raw event
data).
Example:
EXTRACT-reason1 = ^(?<Reason_message>.*). in Reason