HI,
i am trying to extract the last field using field extractor but its not working. can anyone help me to write regex for below sample events?
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, HAOnly = 1;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, haLogStatus = enabled;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, logLen = 10485760;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, haLogPath = /logs/luna;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,HAConfiguration = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, CBOL-HA = 1;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,HASynchronize = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, VirtualToken00Members = 157803010,155322014;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, VirtualToken00SN = 1157803010;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, VirtualToken00Label = CBOL-HA;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,VirtualToken = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, ServerHtl01 = 0;
Try this which will extract values in fields called dateTime
, myField1
,myField2
:
your query to return the events
| rex field=_raw "^(?<dateTime>[^,]+),(?<myField1>[^,]+),(?<myField2>.*)"
| table dateTime, myField1, myField2
Try this which will extract values in fields called dateTime
, myField1
,myField2
:
your query to return the events
| rex field=_raw "^(?<dateTime>[^,]+),(?<myField1>[^,]+),(?<myField2>.*)"
| table dateTime, myField1, myField2
Thank you,i am able do field extraction using delimiter and i will try this also