Hi @minpd0309,
you have to extract (using a regex) the fields and then run something like this:
index=your_index
| rex "\[user id:(?<user_id>\w+)\]\s+by\s+\[id:(?<id>\w+)"
| table user_id id
you can test the regex at https://regex101.com/r/HUeULf/1
Ciao.
Giuseppe
Hi @minpd0309,
you have to extract (using a regex) the fields and then run something like this:
index=your_index
| rex "\[user id:(?<user_id>\w+)\]\s+by\s+\[id:(?<id>\w+)"
| table user_id id
you can test the regex at https://regex101.com/r/HUeULf/1
Ciao.
Giuseppe