my event is:
HDR+1|TIME+2017-01-17 11:09:17.426 GMT|SESS+957785928+18|CLS+BookingLogger|METH+createAndFulfilCommercialFlightBooking(...), LNam=PALMER/PNR=2BHSLK/BkTYPE=CalendarLed/POS=LON/Country=GB/User=DirectPax/Journey=LHR-PSA/Aggregator=null/AgentName=null/Amount=GBP70.70
my search is:
.. fields f5 f6|regex f6=(CLS\+BookingLogger).+?(METH\+createAndFulfil).+?(PNR\=)
does not return any events.
Give this a try:
index=foo sourcetype=bar "CLS+HoldBookingLogger" OR ("CLS+BookingLogger|METH+createAndFulfil*" AND "PNR=*")
that works a treat.. thank you.. just wondering why this don't work:
"CLS+HoldBookingLogger" OR ("CLS+BookingLogger|METH+createAndFulfil*|PNR=*")
my dataset is:
|HDR+1|TIME+2016-12-22 00:04:03.509 GMT|SESS+896400949+19|CLS+BookingLogger|METH+createAndFulfilCommercialFlightBooking(...), LNam=BARRETT/PNR=YWHXF8/BkTYPE=FlexPricer/POS=NAS/Country=BS/User=DirectPax/Journey=NAS-LHR/Aggregator=null/AgentName=null/Amount=USD1141.53
|HDR+1|TIME+2016-12-22 00:04:03.509 GMT|SESS+896400949+19|DATA++|EVENT:FLIGHT_BOOKING_SUCCESSFUL|DATA:BOOKING_RECORD;YWHXF8;NumPax=1;ISRAEL,BARRETT;NAS,LHR,BA0252,23Dec16+23:05,H;2916;VI;Mr Michael
|HDR+1|TIME+2017-01-17 09:48:34.188 GMT|SESS+940031903+41|CLS+HoldBookingLogger|METH+createAndConfirmHoldBooking(...), LNam=MAGUIRE/PNR=2AZQRW/BkTYPE=CalendarLed/POS=DUB/Country=IE/User=DirectPax/Journey=DUB-LHR-LHR-DUB/HoldBookingState=Held/HoldFeeCurrency=EUR/HoldFeeAmount=10.00
basically I want to extract rows with either:
CLS+HoldBookingLogger
OR
"CLS+BookingLogger" AND "METH+createAndFulfil" AND "PNR="
sorry + has preceding "\"
regex f6=(CLS+BookingLogger).+?(METH+createAndFulfil).+?(PNR=)
What is your requirement here? You want to filter results which are matching certain conditions or you want to extract fields? If it's the former, do you've fields already extracted?
sorry + has preceding "\"
regex f6=(CLS+BookingLogger).+?(METH+createAndFulfil).+?(PNR=)