@indeed_2000 This one works for method.
<your_search>
| rex "User\:\s+(?<user>\S+)\s+\|\|\s+method:\s+(?<method>\S+)$"
| table user method
--
An upvote would be appreciated and accept solution if this reply helps!
Hi @indeed_2000
Can you try this?
<your_search_goes_here>
| rex "User\:\s+(?<user>\S+)\s\|\|\smodule\:\s+(?<module>.+)$"
| table user module
---
An upvote would be appreciated and Accept the solution if this reply helps!
rex "User\:(?<user>.+)\s\|\|\smodule\:(?<module>.+)"
(field=_raw is added by default)
thank you for answer, it's not work on all user & module name (both might have capital word or special character)
e.g.
2021-07-14 23:53:23,353 INFO [APP] User: A0000@#0000 || module: setNameDescription
2021-07-14 23:53:23,353 INFO [APP] User: A.Kay || module: setNameDescription
2021-07-14 23:53:23,353 INFO [APP] User: b_Kay || module: setNameDescription
any idea?
Thanks,
Not a problem. use:
rex "User\:(?<user>.+)\s\|\|\s(module\:(?<module>.+)|method\:(?<method>.+))"
sorry for miss spelling it is module I modify last reply.
and try this but not work
rex "User\:(?<user>.+)\s\|\|\s(module\:(?<module>.+)"
Any idea?
Thanks
@indeed_2000 What you have originally provided having different log structure. User: || module:
These new logs having User: || method hence rex provided only works for module. Which one are correct events?
@indeed_2000 This one works for method.
<your_search>
| rex "User\:\s+(?<user>\S+)\s+\|\|\s+method:\s+(?<method>\S+)$"
| table user method
--
An upvote would be appreciated and accept solution if this reply helps!
it worked! thank you! 🙂
replace it with module