i have one host with multiple sourcetype , i want to extract some field but that field also have some different so for all events i have to write different different rex command , is there any way to write rex command for all events
so from here except .vmx
can any one help for this ?
In result i am getting like this
i want like this only name of that
these logs aredifferent than the previous, can we use two regexes (one for the previous and one for these) or do you want only one regex?
in both cases, can you share a sample of all the possible logs to take with the regex?
sorry but I don't understand your question:
If the first you could try to associate the field extraction to an host or a source instead to a sourcetype, I don't like but it's possible.
If the second, it's not possible: you have to use the correct regex for each sourcetype.
The best approach could be that you share two or three samples of your data indicating what you want to extract.
no it isn't possible, you have to copy the field extraction for all sourcetypes.
I understand that it isn't easy to manage, but it permits to maintain more control on your data.
There'a also the choice to associate the field extraction to host and/or source if could be useful for you, in this way it's common to all the sourcetypes associated to that host or source.
index="" ".vmx" host="" | rex field=_raw (?P<VM>\w+\/\w+\w+.vmx)(?!vmx) | rex field=_raw (?P<VM>\w+-\w+\/\w+\-\w+.vmx)(?!vmx) | rex field=_raw (?<VM>\w+\-\w+\-\w+\/\w+\-\w+\-\w+.vmx)| stats count by VM
result is like this:
but i want :
is this a different question or the same?
if a different one, please open a new one, that's useful for all the other people of Community so me and the other people can help you.
If it's the same, please, as the previous, share a sample of your logs.
P.S.: Karma Points are appreciated 😉
As you can see, I sent to you two regexes with the old logs you shared, two versions because you sent two different versions of logs (before results you'gettin' in, then sample logs).
So, could you share a sample of all the kind of logs?
Anyway, the regex to extract from the results you shared is
| rex "\w*\/[^\/]*\/(?<my_field>\S*)\s*$"
that you can test at https://regex101.com/r/m9VYnT/1, but probably isn't correct.