We have data from multiple sources and are capturing the first ten digits of a alphanumeric string as observed in the regex in the below search string.
We are trying to capture transaction timings of when a message is created to when it's completed. Each message type will have different logging from the other, hence the various startswith strings listed below:
index=index sourcetype=logs
| rex "^(?:[^:\n]*:){4}(?P\w+)"
| transaction ObjectID startswith="starting pointone" OR "starting pointtwo" OR "starting pointthree" OR "starting pointfour"
endswith="ending pointone" OR "ending pointtwo"
| table _time ObjectID source host duration
Does anyone know of a way to handle multiple string pairs for both startswith and endswith?
Also, we are using 6.5.
... View more
