Need help on getting rex query. I am getting below two events. I am able to rex for event 1 with NULL field. But I also need to capture the sample event 2 which does not have NULL value. Instead o...
See more...
Need help on getting rex query. I am getting below two events. I am able to rex for event 1 with NULL field. But I also need to capture the sample event 2 which does not have NULL value. Instead of NULL it just have ",," (no NULL values just two single quotes.). Need the rex command to capture the field in both the case. If event has NULL then need the NULL field and if just two single quote need blank value. sample event1: acd.55,1,NULL,C:\totalview\ftp\switches\customer1\55\020224.1100,PASS,2024-02-02 17:32:30.047 +00:00,2024-02-02 17:36:02.088 +00:00,212 Sample event 2: acd.85,1,,C:\totalview\ftp\switches\customer1\85\020224.1100,PASS,2024-02-02 17:31:30.032 +00:00,2024-02-02 17:32:00.226 +00:00,30 Created the below rex query which is working for event 1. But not recognizing if getting event 2 some time. ^(?P<ACD>\w+\.\d+)\t(?P<ATTEMPTS>[^\t]+)\t(?P<FAIL_REASON>[^\t]+)\t(?P<INTERVAL_FILE>[^\t]+)\t(?P<STATUS>\w+)\t(?P<START>[^\t]+)\t(?P<FINISH>[^\t]+)\t(?P<INGEST_TIME>.+)