Hi guys,
I got some the strange events as follows:
timestamp: xxxx
controlType: xxxx
criticality: false
object: xxxx
replace: xxxx
timestamp: xxxx
controlType: xxxx
criticality: false
controlType2: xxxx
criticality: true
object: xxxx
delete: xxxx
timestamp: xxxx
controlType: xxxx
criticality: false
object: xxxx
add: xxxx
They are multi-line events, and have different line number. The first line of each event starts with a timestamp. The last line of the event ends with an HTTP method, e.g. replace, add, delete.
I want to extract the HTTP method. But cannot get it working.
Here is rex I used:
mybaseSearch| rex field=_raw "^(replace|add|delete)(?<method>\:\s)"
Anyone got a better idea. Sorry not sure how to use keywords as the value of the field.
Many thanks.
Cheers,
Vincent
@season88481 ,
Give this a try
|rex field=_raw max_match=0 "(replace|delete|add): (?<METHOD>\S+)"