Description
Recorded value for [Turn On Test 123]
Recorded value for [Turn On Test 456]
Execute all Appliances
In process to Execute
I would like to create another field name "Status" whereby it only extract "Turn On" for "Recorded value for [Turn On Test xxx]" and "Execute" for "Execute all Appliances" & "In process to Execute"
Hi @moinyuso96,
as I said, the problem is that to correctly extract the status I need to know the format or the values of the status field.
If the values fo the status are defined and in a limitated number you can put these values in the regex, e.g. if the possible values are only "Tun On", "Turn Off" and "Execute", you could use them in the regex:
| rex "\[(?<status>Turn On|Turn Off|Execute)"
as you can see in https://regex101.com/r/VAPtVU/2
Ciao.
Giuseppe
Hi @moinyuso96,
the extraction of a field in logs ad the ones you shared is easy, only one question: the status is always a dondition of two words (e.g. Turn on, Turn off, etc...) or not?
The possible statuses are fixed (e.g. only "Turn on" and Turn off"?
I ask this to exactly define the content of the status ield.
So if the status is always composed by two words, try this:
| rex "\[(?<status>\w+\s\w+)"
that you can test at https://regex101.com/r/VAPtVU/1
Ciao.
Giuseppe
The status is not necessarily Turn On, I will also need to extract the word "Execute" where the location of the word is not the same for the case of "Execute All Appliances" and "In process to Execute".
I am actually looking if there is anyway I can extract those words regardless of the location in the sentence.
Hi @moinyuso96,
as I said, the problem is that to correctly extract the status I need to know the format or the values of the status field.
If the values fo the status are defined and in a limitated number you can put these values in the regex, e.g. if the possible values are only "Tun On", "Turn Off" and "Execute", you could use them in the regex:
| rex "\[(?<status>Turn On|Turn Off|Execute)"
as you can see in https://regex101.com/r/VAPtVU/2
Ciao.
Giuseppe
Hi @moinyuso96,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉