Hi at all,
I would extract a field as a part of source field and I know how to do this using rex command
| rex field=source "myregex"
but I'd like to configure this field once and not in all my searches.
I tried putting in field extractor
field=source "myregex"
but there's something wrong!
Anyone has any idea?
Bye.
Giuseppe
Hi,
try this. You cannot use the "Field Extractor" for this. Need to Settings --> Fields --> Field extractions --> New
"myregex" in source
looks something like this then.
(?<newfield>.*) in source
regards
Hi,
try this. You cannot use the "Field Extractor" for this. Need to Settings --> Fields --> Field extractions --> New
"myregex" in source
looks something like this then.
(?<newfield>.*) in source
regards
Perfect: without double quotes!
Thank you.
Bye.
Giuseppe
The field extractor looks in the entire event. It's equivalent to rex field=_raw "myregex"
. You'll have to adjust your 'myregex' string to extract the desired field from the whole event.
yes I know, but source field isn't in _row.
Bye.
Giuseppe