I am trying to extract key-value pairs from the following. Here's the sample log. I have tried using xmlkv, spath and no luck.
What's the easiest way to extract first and second as $field1::$field2 or a on the fly search time extraction?
Appreciate your help.
Hey Raghav, you definitely need to use regular expressions... Before I suggest anything, is the text you paste correct? looks like is missing "whitespaces" and the line breaking is wrong... Try to paste the text and use the "code sample" icon on the top of the form to format it correctly, like this:
As regular expression suggestion, I always recommend to use the site http://regex101.com/ to play with.
Ok, so just clarify, what you mean by extract "first and second as $field1::$field2"? What are the parts of the text you wish to extract as fields, pls give me an example, like:
So, based on that here how you could start with:
index=bla "your search" | rex field=_raw "FIRST_NAME(?P<fieldA>\w+)BATCH_EXPIRATION.+LASt_NAME(?P<fieldB>\w+)DEVICE_LIMIT" | table fieldA, fieldB
This is just an example assuming all your events have a similar format, you should be able to extract other fields as your requirement. Again, just "past" your log into http://regex101.com and start with the Regex on my example.
Just two more things... you probably notice you could choose any name to the "fieldA" (B, etc). Also looking to your data, should be straight forward to expand this extraction method for almost all fields.
Once you have it done, you also could configure it inside "Settings -> Fields -> Field Extraction" so you don't need to do it every search using the