Hi WoodCock,
I can able to extract the information from the log using your answer which you posted with one of my colleague's question (the same question) with minor modification of query.
| rex field=_raw "(?.{3})(?.{2})(?.*)"
| eval FieldValue=substr(TempFieldValue,1,FieldValueLen)
| eval TempFieldValue=substr(TempFieldValue,1+FieldValueLen)
| eval subevent=(TransactionCode . ":::" . FieldValueLen . ":::" . FieldValue)
| rex field=TempFieldValue "(?.{3})(?.{2})(?.*)"
| eval TransactionCode=mvappend(TransactionCode, TempTransactionCode)
| eval FieldValueLen=mvappend(FieldValueLen, TempFieldValueLen)
| eval FieldValue2=substr(TempFieldValue,1,TempFieldValueLen)
| eval FieldValue=mvappend(FieldValue, FieldValue2)
| eval TempFieldValue=substr(TempFieldValue,1+TempFieldValueLen)
| eval subevent=mvappend(subevent, TempTransactionCode . ":::" . TempFieldValueLen . ":::" . FieldValue2)
| mvexpand subevent
| rex max_match=5 field=subevent "(?.?):::(?.?):::(?.*)"
| table TransactionCode FieldValueLen FieldValue
By repeating the Bold set of query i can able to extract all the information from the log.
Is there any way to auto iterate this query (loop)? So that i can able to extract "n" number of such records upto end of line which is more or less equal to max_match.
... View more