I have define a new field extraction at searchtime. I don't know if there is any way to test it. For the moment I can't see the field at search time, on the left part of the screen.
Is it because it is no working properly, no match found, or do I have to do something else ?
It is defined as :
<vdv\d\d\d:(.*?)\s for a special source_type cusadapter
When I try to search through that
Type Extraction/Transform Owner App Sharing Status Actions
cusadapter : EXTRACT-vdv_message_type Inline <vdv\d\d\d:(?)\s
cus
search
Private Enabled
What am I missing ?
Your search
sourcetype="adapter" | rex field=_raw <vdvklzzwxh:0000klzzwxh:0001klzzwxh:0002:(?<message_type>)s
does not capture any characters in the brackets for the field message_type. I'm not sure what your initial extraction does because it appears some characters were mangled in the post.
An untested regex to extract the VDV message type might be
| rex "<vdv(\d+):(?<message_type>[^\s>/]+)"
Fields are displayed in the field list on the left side of the result page.
Make sure no to disable the automatic field extraction (on 4.2 by sliding the option, on 5.* by using the fast options)
or simply by adding at the end of the search | table myfield
Thank You for your answer..
I tried your regex, but there are no field dispayed on the left (by the other fields), when I'm trying the corrected regex. Where extracted fields are supposed to be diplayed ?
Your search
sourcetype="adapter" | rex field=_raw <vdvklzzwxh:0000klzzwxh:0001klzzwxh:0002:(?<message_type>)s
does not capture any characters in the brackets for the field message_type. I'm not sure what your initial extraction does because it appears some characters were mangled in the post.
An untested regex to extract the VDV message type might be
| rex "<vdv(\d+):(?<message_type>[^\s>/]+)"
I've tried in a perl rex test, with my logfile, but in the search, I have no field displayed but also no error message, Here is what I tried :
sourcetype="adapter" | rex field=_raw
and here is what I tried to extract :
[2012-11-12 07:54:49,568] INFO technical.http.ans.app.vdv.util.http.VdvHttpLogger createLogEntry - IN --> otv ans DatenAbrufenAntwort ok /10.104.180.7:2800 <?xml version="1.0" encoding="ISO-8859-1"?><vdv453:DatenAbrufenAntwort xmlns:xsi="
Have you tried an inline rex command in your search string to check and see if your getting matches first?