I want to make a table that shows ACTION, DATABASE USER, PRIVILEGE, CLIENT USER and DBID; I want the value between ' '. My field extraction and rex fails. Please advice.
Sat May 20 23:59:45 2017
LENGTH : '426'
ACTION :[278] 'select sofar, context, start_time from v$session_longops where (start_time > nvl(:1, sysdate-100) or start_time = nvl(:2, sysdate+100)) and sid = :3 and serial# = :4 and opname like 'RMAN:%' order by start_time desc, context desc'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'bing'
CLIENT TERMINAL:[0] ''
STATUS:[1] '0'
DBID:[9] '000000000'
Hi ewise1,
take a look at this answer https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html to learn how it can be done.
Your regex would be something like this:
^(\w+\s\w+|^\w+)[\s:\[\d\]]+'(.+)'
hope this helps ...
cheers, MuS
MuS,
thanks for your response, referring to the link you mentioned I should say that I don't have access to transform.conf.
How come? transforms.conf can be created/modified in the UI under settings - fields - field transformation
Read this https://answers.splunk.com/answers/149597/im-struggling-with-how-i-should-be-doing-inputs-and-also-p... which explains how the options of props and transforms maps to the UI.
cheers, MuS