We have multiple lines within double quotes and to be updated in the different field names according to the name we have.
All values has to be in different field names separately which is within double quotes
the below regex is working and but picking all the values and updating in one field, i am looking for
1. where the value within first double quotes getting picked in one common field name
2. where the value within second double quotes getting picked in second common field name
3. where the value within third double quotes getting picked in third common field name
| rex "\\\"(?<JobId>[^\\\"]+)"
Please share your complete raw event in a code block </> so that formatting is not compromised.
Hi @ITWhisperer
This is the raw event coming from a CSV file
The values which ever coming in double quotes has to be separated and get updated in unique field names
Even if there are empty within the double quotes it shouldn't skip
Some times characters are lengthy which shouldn't get updated in another field
"17449551","pmqcd1p3","SAP for Oracle","PMQ","N/A","default","(Logcommand line)","Backup 3RD","Full(Log)","Mar 20, 2023","Mar 20, 2023, 10:21:16 AM","20","","0","Failed","CVLT","Error occurred in Disk Media, For more help, please call your vendor's support hotline.<br>Source: CVLT-NGDC-E11-MA05, Process: cvd","","","Mar 20, 2023, 10:41:49 AM"
Assuming all your field values are in double quotes, even the numerics, and that you have no embedded / escaped double quotes, you can do something like this
| rex max_match=0 "(?<field>\"[^\"]*\")"
| eval field1=mvindex(field,0)
| eval field2=mvindex(field,1)
Note, mvindex indexes start at zero - obviously you can name the fields how you like, not necessarily "field1", "field2", etc.
My issue here is actually,
the below line is actually has to be covered under a field called "Failure Reason" and when i am giving the below mvindex command it's working fine
but not all the failure reason occupy in 2 mvindex values, some are occupying in 1 and some are occupying more than 1 (2 OR 3 OR 4)
| eval "Failure Reason"=mvindex(_raw,19,20)
"Error occurred in Disk Media, For more help, please call your vendor's support hotline.<br>Source: CVLT-NGDC-E11-MA05, Process: cvd"
and another issue here is if we have 2 empty values, and when i am giving the below mvindex it's picking the value which is supposed to get update in the 23rd mvindex (i.e. data time stamp getting updated) instead of staying blank
| eval "Failure Reason"=mvindex(_raw,21)
""
""
"Mar 20, 2023, 10:41:49 AM"
Please show your complete SPL and the raw event which is giving you problems