Hi,
This is the sample event
GA.769:180302:113834:: INFO.PSA: Getting issue for ID: 931778
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Test Fail' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType w...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Testing in Progress' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Activating' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Adding to .Net Website' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'All Sec Incidents (closed)' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Application Certification' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
class type: java.util.HashMap
map values: null --> 505 :: NetOps-HR
map values: 1 --> 90109
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'BHN Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was s...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Building Test Lines' of type com.atlassian.servicedesk.internal.sla.customfield.SLAC...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Checking Connectivity' of type com.atlassian.servicedesk.internal.sla.customfield.SL...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connect to Network and Add to INS' of type com.atlassian.servicedesk.internal.sla.cu...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connecting MTA to Network' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Creating Test Accounts' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Request Type' of type com.atlassian.servicedesk.internal.customfields.origi...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Response Time' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'DOCSIS Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Days to Resolution' of type com.atlassian.servicedesk.internal.sla.customfield.SLACF...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Epic Link' of type com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 2 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 3 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response Task Metric' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'IT Testing' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...
When I use regular expression I am getting the value from the first line but not from the other lines. I want to capture the fields that start after INFO.getCustomFieldValues(): field.
@jkirankumar1993, you would need to use max_match=0
to fetch multiple values for the multi-valued field extraction using rex command. Try the following run anywhere search based on sample data provided:
| makeresults
| eval _raw="GA.769:180302:113834:: INFO.PSA: Getting issue for ID: 931778
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Test Fail' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType w...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Testing in Progress' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Activating' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Adding to .Net Website' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'All Sec Incidents (closed)' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Application Certification' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
class type: java.util.HashMap
map values: null --> 505 :: NetOps-HR
map values: 1 --> 90109
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'BHN Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was s...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Building Test Lines' of type com.atlassian.servicedesk.internal.sla.customfield.SLAC...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Checking Connectivity' of type com.atlassian.servicedesk.internal.sla.customfield.SL...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connect to Network and Add to INS' of type com.atlassian.servicedesk.internal.sla.cu...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connecting MTA to Network' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Creating Test Accounts' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Request Type' of type com.atlassian.servicedesk.internal.customfields.origi...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Response Time' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'DOCSIS Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Days to Resolution' of type com.atlassian.servicedesk.internal.sla.customfield.SLACF...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Epic Link' of type com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 2 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 3 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response Task Metric' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'IT Testing' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was..."
| rex "INFO\.getCustomFieldValues\(\):\sfield\s\'(?<myField>[^\']+)\'\sof\stype" max_match=0
@jkirankumar1993, you would need to use max_match=0
to fetch multiple values for the multi-valued field extraction using rex command. Try the following run anywhere search based on sample data provided:
| makeresults
| eval _raw="GA.769:180302:113834:: INFO.PSA: Getting issue for ID: 931778
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Test Fail' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType w...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Testing in Progress' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Activating' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Adding to .Net Website' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'All Sec Incidents (closed)' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Application Certification' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
class type: java.util.HashMap
map values: null --> 505 :: NetOps-HR
map values: 1 --> 90109
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'BHN Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was s...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Building Test Lines' of type com.atlassian.servicedesk.internal.sla.customfield.SLAC...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Checking Connectivity' of type com.atlassian.servicedesk.internal.sla.customfield.SL...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connect to Network and Add to INS' of type com.atlassian.servicedesk.internal.sla.cu...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connecting MTA to Network' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Creating Test Accounts' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Request Type' of type com.atlassian.servicedesk.internal.customfields.origi...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Response Time' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'DOCSIS Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Days to Resolution' of type com.atlassian.servicedesk.internal.sla.customfield.SLACF...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Epic Link' of type com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 2 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 3 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response Task Metric' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'IT Testing' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was..."
| rex "INFO\.getCustomFieldValues\(\):\sfield\s\'(?<myField>[^\']+)\'\sof\stype" max_match=0
Your query worked great for this single event. But, I have series of events and i want to extract these values as a field so that I can make a report
Try adding mvexpand
to your query to expand the multiple values of that is what you want.
<yourBaseSearch>
| fields _raw
| rex "INFO\.getCustomFieldValues\(\):\sfield\s\'(?<myField>[^\']+)\'\sof\stype" max_match=0
| mvexpand myField
| table myField
Worked Great. Thanks a lot
Glad you found it working. Please up vote the comments that helped 🙂
I have series of events like this. I want to extract field called "custom_field" from all these multi valued events.
Example or sample output of extracted field:
AE Test Fail
AE Testing in Progress
Activating
.............
.............
Note: I dont have access to any config files. So, can you tell any regular expression to capture all those values?