I want to extract the PID number from the log and store in variable failedPID. i have many of this kind of message with different Application Names.
Application: MM Viewer, PID: 7988 failed
Application: Database Browser App, PID: 6788 failed
Application: CentralViewer, PID: 7978 failed
i am using
rex "Application: (?<failedPID>.*) failed" | dedup 1 _time | chart count by failedPID
which is giving me output as
MM Viewer, PID: 7988
Database Browser App, PID: 6788
CentralViewer, PID: 7978
my ultimate goal is to store Application name in failedApp variable and PID in failedPID avriable.
Hi @anilkashyap,
If this only applies to failed events, then try this :
| rex field=_raw "Application:\s(?<failedApp>.+),\sPID:\s(?<failedPID>\d+)\sfailed"
Cheers,
David
Hi anilkashyap,
you can extract both the fields using one regex:
| rex "Application:\s+(?<failedApp>[^,]*),\s+PID:\s+(?<failedPID>\d*)\s+failed"
You can test it at https://regex101.com/r/piK2bJ/1
Bye.
Giuseppe
Hi @anilkashyap,
If this only applies to failed events, then try this :
| rex field=_raw "Application:\s(?<failedApp>.+),\sPID:\s(?<failedPID>\d+)\sfailed"
Cheers,
David
@anilkashyap
Try
|rex "Application:\s+(?<failedApp>.+),\s+PID:\s+(?<failedPID>\d+)"