The following works fine in the search bar.
index=i_a sourcetype=a_out| transaction source maxspan=1h|rex field=source "[\w\W]+/(? [A-Z0-9_]).(? \d )_(? \d*).out" | eval Time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table Job_Name PID Time
Props.conf entry is as follows
[a_out]
TZ = America/New York
TIME_FORMAT = %m/%d/%Y %H:%M:%S
SHOULD_LINEMERGE = False
KV_MODE=none
EXTRACT-sourcefields =[\w\W]+/(? [A-Z0-9_]).(? \d )_(? \d*).out in source
EXTRACT-jobid = JobId=(? \d*)
EXTRACT-batch_type = Batch_Type=(? \w*)
file is of the format - RUN_D_INCR_ABC_INCR_9_TESTF_EXP_C.20130801023732_99999.out.
(JOBNAME.DATE_PROCESSID.OUT)
Problem - The report only displays the Time and doesn’t display jobname/PID.
“View results” from the report is
index=i_a sourcetype=a_out | transaction source maxspan=1h | eval Time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table Job_Name PID Time
... View more