Solved: How can I extract the 3 or 5 digit number and 2 3-...

kostasKats · ‎06-15-2015

The log is:

2015-06-15 15:50:29,381 ws prd 62 WARN  JourneySearch # # # # Blocked Incoming Request 13360-PSA-LIS

I have used this for the 3/5 digit number, but I want know to extract the words after the number:

rex field=_raw " Blocked Incoming Request (?<aid>\d+)"

Can someone help me please?

woodcock · ‎06-15-2015

Like this:

rex field=_raw " Blocked Incoming Request (?<aid>d+)(?<theRest>.*)$"

kostasKats · ‎06-15-2015

Thank you very much all!

This worked perfect for my work:
"Blocked Incoming Request" |rex field=_raw "Request (?\d+)-(?\S+)" |stats count by aid, word

reed_kelly · ‎06-15-2015

You can also get the words as a multi-valued result and separate them as needed with mvexpand

|rex field=_raw "Request (?<aid>\d+)\-(?<words>\S+)"  |makemv delim="-" words |mvexpand words

woodcock · ‎06-16-2015

You also need max_match=0 like this:

|rex max_match=0 field=_raw "Request (?\d+)\-(?\S+)"  |makemv delim="-" words |mvexpand words

woodcock · ‎06-15-2015

Like this:

rex field=_raw " Blocked Incoming Request (?<aid>d+)(?<theRest>.*)$"

How can I extract the 3 or 5 digit number and 2 3-letter words after "Request" in my sample log?