- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jasmine
Path Finder
05-11-2024
05:02 AM
In the below query if c= I, the reg expression is | rex field=attr.namespace "(?<DB>[^\.]*)"
if c= other than "I" then rex would be | rex field=attr.ns "(?<DB>[^\.]*)"
index="aaa" (source="/test/log/testing.log") host IN(host1) c=N
| rex field=attr.ns "(?<DB>[^\.]*)"
| table DB| dedup DBhow can i adjust the query?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tscroggins
Influencer
05-11-2024
10:01 AM
Hi @Jasmine,
You can assign the field value to a temporary field first, and then use the rex command to extract the value you want:
index="aaa" (source="/test/log/testing.log") host IN (host1) c=*
| eval DB=if(c=="I", 'attr.namespace', 'attr.ns')
| rex field=DB "(?<DB>[^\.]*)"
| table DB
| dedup DB- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tscroggins
Influencer
05-11-2024
10:01 AM
Hi @Jasmine,
You can assign the field value to a temporary field first, and then use the rex command to extract the value you want:
index="aaa" (source="/test/log/testing.log") host IN (host1) c=*
| eval DB=if(c=="I", 'attr.namespace', 'attr.ns')
| rex field=DB "(?<DB>[^\.]*)"
| table DB
| dedup DB
