I have 2 sets of logs. I am supposed to extract the content between the last 2 '#' among the below logs.
Please help.
<12>Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#
<12>Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #
information which is written in Bold needs to be extracted into a field called as 'message'
I tried with the following regex :
(?(field_name_with_angular_brackets)User..\s.)
Please let me know how to do this.
Also please let me know how to combine regex of 2 fields into a single field.
Another option with just 1 step:
(your search) | rex "#\s(?!.*# )(?<message>[^#]+)#$"
Then if you want to create a new field from two others, just use a period between them.
...
| eval f1="abc"
| eval f2="123"
| eval f3=f1.f2
| eval f4=f1."_".f2
So f3 will be abc123 and f4 will be abc_123
Like this:
| makeresults
| eval raw="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#:::Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "#\s*(?<message>[^#]+)\s*#\s*$"
@vaibhavbharadwaj try the following regular expression
| rex "\#\s*(?<message>[^\#]+)\s*#$"
Following is a run anywhere example based on the sample data provided. Please try out and confirm!
| makeresults
| fields - _time
| eval data="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#;Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| rex "\#\s*(?<message>[^\#]+)\s*#$"
Do you have access to the search heads to modify the transforms and props.conf files?
| makeresults
|eval string="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#"
| rex mode=sed field=string "s/\#*$//"
| rex field=string "(?<message>[^\#]*$)"
| table string message
Explanation :
| rex mode=sed field=string "s/\#*$//" -> replaces the last # with nothing
| rex field=string "(?<message>[^\#]*$)" -> captures everything after the last # and dumps it in a new field 'message'