Below is my mentioned sample event details. I want to extract fields into a table using regex operations.
I need to only get IN and OUT status.
status | license | username | machine
IN | lic_1 | user1 | WKS1xxxx
OUT | lic_2 | user2 | WKS1xxxx
IN | lic_3 | user3 | WKS1xxxx
Sample data:
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx (licenses are reserved for others. (-101,396:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx (User/host not on INCLUDE list for feature. (-39,349:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx (All licenses are reserved for others. (-101,396:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx (User/host not on INCLUDE list for feature. (-39,349:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx (All licenses are reserved for others. (-101,396:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx (User/host not on INCLUDE list for feature. (-39,349:10054 ""))
15:21:54 (app1) OUT: "lic_1" user1@WKS1xxxx
15:21:54 (app1) UNSUPPORTED: "lic_2" (PORT_AT_HOST_PLUS ) user1@WKS1xxxx (License server system does not support this feature. (-18,327:10054 ""))
15:21:54 (app1) UNSUPPORTED: "lic_3" (PORT_AT_HOST_PLUS ) user1@WKS1xxxx (License server system does not support this feature. (-18,327:10054 ""))
15:21:54 (app1) UNSUPPORTED: "lic_2" (PORT_AT_HOST_PLUS ) user1@WKS1xxxx (License server system does not support this feature. (-18,327:10054 ""))
15:21:54 (app1) IN: "lic_3" user2@WKS2xxxx
15:22:04 (app1) IN: "lic_1" user1@WKS1xxxx
15:22:20 (app1) OUT: "lic_3" user3@WKS22xxx
If each line is a single event above then @rich71777 's answer should hold good, however if more than one such lines exist per event then please give this a try:
your query to get the events
| rex max_match=0 field=_raw "(?<status>(IN|OUT)):\s*\"(?<license>[^\"]+)\"\s*(?<username>[^@]+)@(?<machine>[\S]+)"
| eval allValues=mvzip( status, mvzip(license, mvzip(username, machine, "~"), "~"), "~")
| mvexpand allValues
| rex field=allValues "(?<myStatus>[^~]+)~(?<myLicense>[^~]+)~(?<myUser>[^~]+)~(?<myMachine>.*)"
| table myStatus, myLicense, myUser, myMachine
If each line is a single event above then @rich71777 's answer should hold good, however if more than one such lines exist per event then please give this a try:
your query to get the events
| rex max_match=0 field=_raw "(?<status>(IN|OUT)):\s*\"(?<license>[^\"]+)\"\s*(?<username>[^@]+)@(?<machine>[\S]+)"
| eval allValues=mvzip( status, mvzip(license, mvzip(username, machine, "~"), "~"), "~")
| mvexpand allValues
| rex field=allValues "(?<myStatus>[^~]+)~(?<myLicense>[^~]+)~(?<myUser>[^~]+)~(?<myMachine>.*)"
| table myStatus, myLicense, myUser, myMachine
Hi
In gokadroid answer, replace
(?<license>[^"]+)
with
(?<license>[^\"]+)
to have a good answer. He forgot to escape " character
thanks all , gokadroid answer was great , and chimell pointed out the error. the final rex would include chimell changes
Thanks @chimell and @vijax ...nice catch! Updated as per comments. Up vote for both of you for refining the answer.
Try
... | rex "(?<status>(IN|OUT)):\s+"(?<license>[^"]*)"\s+(?<username>[^@]*)@(?<machine>.*)"
That should give you the fields you asked for on all lines that have the fields in them.