In a log if there are two similar words with different value , how to retrieve value of second word using regex ?
Example: "Display details of value =abc and value=def for id=1". how to display value "def" ?
index=* "Letters" |rex field=_raw max_match=0 "value=?(?<value2>[^\n]*)" |stats values(value2) as letter by id
Above query returns
1 "abc and value=def"
@Aks_PC_20 - Try this query:
index=* "Letters"
| rex field=_raw max_match=0 "value=(?<value>[\S]+)"
| stats list(value) as letter by id
| eval letter=mvindex(letter,1)
Please let me know if this works. Also please validate that this query works for all your examples, if not provide samples for which it does not work.
I hope this works!!
This works but if the value is displayed as value="data need to be
displayed here "
here the value will be displayed only up to "data need to be " and not the complete string which is in next line.
@Aks_PC_20 - If your format is fixed like:
Display details of value=abc and value=def for id=1
Format: <some text> value=<value-1> and value=<value-2> for id=<id>
Then you can use this:
index=* "Letters"
| rex field=_raw max_match=0 "value=(?<value1>.+)\s+and\s+value=(?<value2>.+)\s+for\s+id="
| stats latest(value2) as letter by id
But to extract the proper value and to write the proper regex you first need to define the format of the events in order to know where the value is starting and ending.
I hope this helps!!!
The value of value2 field is dynamic , each event will have different value. First query you mentioned worked but only thing is it consider the value only upto the end of line but does not consider the value which is continued in next line
@Aks_PC_20 - So does that mean in your example?
* value1="abc"
* value2="def for id=1"
(because you mentioned value2 is till the end of the line.)
If this is correct then you can use:
index=* "Letters"
| rex field=_raw max_match=0 "value=(?<value1>.+)\s+and\s+value=(?<value2>[^\n\r]+)"
| stats latest(value2) as letter by id
I hope this helps!!! Upvote/Karma would be appreciated!!!
When rex finds more than one match it puts them all into a multi-valued field. Use the mv* functions to manipulate them. In this case, get the second word using mvindex.
| eval secondWord = mvindex(value2, 1)
Also, remeber that by default regexes are relatively greedy (they match as much as theu can) so if you don't specify any boundaries to matching withinyour regex, you'll have a runaway one. So, for example,
value=(?<value>.*)
will match the event
value=1, value=2, value=3
and will extract "value" field from the "1" up to the end of the string.
If you matched only
value=(?<value>\d+)
you'd get separate matches for each value