I have a field "CATEGORY3," with strings for example:-
Log 1.2 Bundle With 12 INC
Log 1.2 Bundle With 3 INC
Log 1.2 Bundle With 103 INC
Log 1.3 IP
Log 1.3 IP
I just need to extract the number of INCs if the CATEGORY3 contains Bundle Keyword. I tried something like substr(CATEGORY3,19,3), but it won't give a proper answer.
I was trying to look for regex as well, but I really do not know how to rex command inside eval case
index="index1" sourcetype="XXX" | eval NE_COUNT= case(match(CREATOR_SUBJECT,"Bundle"), , match(CREATOR_SUBJECT,"IP"), 1 )
Thanks in advance
Can you try below rex which only works on event which has Bundle keyword:
| rex field=_raw "Bundle With (?P<inc_count>\d+) INC"
Hey @p_gurav - I think your code is getting mangled because you forgot to use the
010101 code button. Maybe fix it so the user can test? I think your answer is probably correct!
Thanks for the Answer. Its working and I learn a new point here. Just want to point that instead of checking in _raw , we can also use the field name CATEGORY3 for faster exeution.
... your search ... | rex field=CATEGORY3 "Bundle With (?P<num_of_inc>\d+) INC"
hope it helps