Re: how to extract partial value from filed and sh...

naresh_553 · ‎08-09-2023

Hi , Im trying to extract distinct email is as column and preparing some counts .For this im thinking to extract the email data from log field . Can someone please provide pointers

{
"log": " \u001b[2m2023-08-09 21:28:28.347\u001b[0;39m \u001b[32mDEBUG\u001b[0;39m \u001b[35m1\u001b[0;39m \u001b[2m---\u001b[0;39m \u001b[2m[nio-8080-exec-7]\u001b[0;39m \u001b[36ms.s.w.c.SecurityContextPersistenceFilter\u001b[0;39m \u001b[2m:\u001b[0;39m Set SecurityContextHolder to SecurityContextImpl [Authentication= SCOPE_profile1]], User Attributes: [{ email=venkatanaresh.mokka@one.verizon.com}], Credentials=[PROTECTED] ]]\n",
"stream": "stdout",

"kubernetes": {
"container_name": "draftx-ui-gateway",

}
}

yuanliu · ‎08-10-2023

You must have a field name log. Use extract (aka kv) on it.

| rename log as _raw 
| kv

isoutamo · ‎08-11-2023

Hi

as usual there is another way too 😉 I'm expecting that this information is on field called "log". If it's something else then just change field=<your field name>

| rex field=log "email=(?<email>[^}]+)"

You could check by Job Inspector which one is better on your case.

r. Ismo

how to extract partial value from filed and show as column

field extraction

regex

rex

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!