Hello Splunk,
I have the following raw log lines:
1 2019-01-29T15:44:41.184068+00:00 xxx vpxd 4566 - - Event [5650552] [1-1] [2019-01-29T15:44:41.182223Z] [vim.event.VmMigratedEvent] [info] [] [x - x] [5650175] [Migration of virtual machine vm1 from host1, ds_SSD_001 to host1, ds_SSD_002 completed]
I'm trying to find all log entries where both fields containing SSD (ds_SSD_001, or ds_SSD_002,or ds_SSD_00x) are different.
(This basically means that one VM has moved from one datastore to another)
I figured I should be using rex to extract the 2 occurrences of SSD and compare them | where field1 != field2
I can't manage to find the regex code to extract these fields (I'm very new to regex...)
Try this Migration of .*, (?<store1>\S+).*, (?<store2>\S+)
https://regex101.com/r/IFFrB3/1
You can use this like so
You search | rex "Migration of .*, (?<store1>\S+).*, (?<store2>\S+)" | table store1 store2
Try this Migration of .*, (?<store1>\S+).*, (?<store2>\S+)
https://regex101.com/r/IFFrB3/1
You can use this like so
You search | rex "Migration of .*, (?<store1>\S+).*, (?<store2>\S+)" | table store1 store2