Dear Community, I have the following search query: index="myIndex"
host="myHost"
source="mySource.log"
2021081105302743
"started with profile" The above gives me the following result: ...
See more...
Dear Community, I have the following search query: index="myIndex"
host="myHost"
source="mySource.log"
2021081105302743
"started with profile" The above gives me the following result: Progam has run, 2021081105302743 started with profile TEST_PROFILE_01 I would like to remove everything before TEST_PROFILE_01 , giving me just the profile. Beforehand I do not know what profile is used. Therefore I guess what I want is: Remove everything before "profile" Also remove "profile" Then, I want to display the profile in a "Single Value". I have used the below in a table before, but now that I am using Single Value, I don't know which field to use. Also if I use a string instead of the # below in the table, it won't work. | eval _raw = replace(_raw,"^[^#]*#", "") I have 2 questions: When using a Single Value Panel, what field do I use in the above search at the position _raw (what to replace it with)? When I search for the data as shown in the query located at the top, the data is shown in the "Event" field. Is this the field I should use? At the position of the # I would like to use "profile", but I don't know how to edit the regex accordingly. I could use some help on this matter. Thanks in advance.