I have following events in the log. Although there are lot of rows in it but I interested in these rows only and in extracting "time: and anything after "subject:"
---
2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: RE: Hello this is first email
---
2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is second email
---
2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is third email
---
So need to a create a report like this -
Time | Subject |
2016 2021-09-11 11:01:19 | RE: Hello this is first email |
2016 2021-09-11 11:01:21 | Re: Hello this is second email |
2016 2021-09-11 11:01:22 | Re: Hello this is third email |
Thanks!
This should get you started.
index=foo "Server 2016" "subject"
| rex "Server 2016 (?<Time>[^,]+).*subject: (?<Subject>.*)"
| replace "T" with " " in Time
| table Time Subject
This should get you started.
index=foo "Server 2016" "subject"
| rex "Server 2016 (?<Time>[^,]+).*subject: (?<Subject>.*)"
| replace "T" with " " in Time
| table Time Subject
Only command not working is -
| replace "T" with " " in Time
Still in the result I am seeing - 2021-09-11T11:01:19
Try this instead of replace.
| rex field=Time mode=sed "s/T/ /"
Thanks a lot, it worked!
2016 doesn't appear to be part of a time - what is it about these events that would allow you to distinguish them from other events e.g. are you interested in all events which contain the string
Problem creating batch from the downloaded mail with subject:
| rex "(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)"
Yes, anything thats after "interested in all events which contain the string".
When I search with -
index="foo" | rex "(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)"
then I am getting following error -
Error in 'rex' command: Encountered the following error while compiling the regex '(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)': Regex: unknown property name after \P or \p.
But if I put a space between *\ and Problem, then it is providing all the rows, even without the even I am looking for and not in a tabular form.
Sorry, that was a typo, the \ before the P is not needed