I have a field in my log which contains a huge text data with two different formats. I tried to catch a few parts in a new field but was unable to get all the data.
First type
------------------------------------
Timestamp=26/SEP/2018 16:37:38 UTC|DBA_GROUP=X2Oracle_NSS|TOWER=NSS|DB_INSTANCE_NAME=lsrprod|DB_HOST_NAME=ABC|UAID=0|TABLE_OWNER=STAGE|TABLE_NAME=NFMDAT|PARTITION_POSITION=6|PARTITION=P2018|HIGH_VALUE=TTO_DATE(' 2019-01-01 00:00:00', 'SYYYY-MM-DD HH24:MI:SS', 'NLS_CALENDAR=GREGORIAN')|PREV_HIGH_VALUE=TTO_DATE(' 2018-01-01 00:00:00', 'SYYYY-MM-DD HH24:MI:SS', 'NLS_CALENDAR=GREGORIAN')
Second type
-------------------------------------------------
Timestamp=26/SEP/2018 16:01:06 UTC|DBA_GROUP=X2Oracle_GFS|TOWER=GFS|DB_INSTANCE_NAME=ecs02prd|DB_HOST_NAME=ASD|UAID=UDBID-15360|TABLE_OWNER=ECSREFRESH_EXCEPTION|TABLE_NAME=ECS_TRAN_AUDIT_HSTR_BKP|PARTITION_POSITION=27|PARTITION=ECSTRANAUDTHSTR_20170430|HIGH_VALUE=TIMESTAMP' 2017-05-01 00:00:00'|PREV_HIGH_VALUE=TIMESTAMP' 2017-04-01 00:00:00'
partition_check_En_Time=12:01:07 PM
End_Time: Wed Sep 26 12:01:07 EDT 2018
I used the below query to get the new field from above log.
base search | eval Current_High_Value=substr(HIGH_VALUE, 11, 20) | eval Previous_High_Value=substr(PREV_HIGH_VALUE, 11, 20)
I am getting value properly for Current_High_Value field but not getting complete data in Previous_High_Value. Its not picking data for second type of log.
I have used below query and getting value properly.
base search | eval Current_High_Value=substr(HIGH_VALUE, 11, 20)
| rex "^(?:[^ \n]* ){5}(?P<Pre_High_Value>[^']+)"
| eval Previous_High_Value= case(like(PREV_HIGH_VALUE, "TTO_DATE%"), substr(PREV_HIGH_VALUE, 11, 20), like(PREV_HIGH_VALUE, "TIMESTAMP%"), Pre_High_Value)
I have used below query and getting value properly.
base search | eval Current_High_Value=substr(HIGH_VALUE, 11, 20)
| rex "^(?:[^ \n]* ){5}(?P<Pre_High_Value>[^']+)"
| eval Previous_High_Value= case(like(PREV_HIGH_VALUE, "TTO_DATE%"), substr(PREV_HIGH_VALUE, 11, 20), like(PREV_HIGH_VALUE, "TIMESTAMP%"), Pre_High_Value)
You can use rex command to get Previous high value-
rex field=PREV_HIGH_VALUE "\W+\s+(?\d{4}-\d{2}-\d{2})"
Thanks @Vijeta