Hey - I'm taking my first steps on extracting fields with RegEx and can't seem to get this one working .. any help would be appriciated
The events look like this:
12/10/2019 07:40:23 AM
LogName=ARAdminService
SourceName=ARAdminSvc
EventCode=1521
EventType=4
Type=Information
ComputerName=wmidcars73.idexcorpnet.com
User=NOT_TRANSLATED
Sid=S-1-5-21-2094280246-649338158-1033845588-46148
SidType=0
TaskCategory=ScheduledTask
OpCode=Info
RecordNumber=11331718
Keywords=Classic
Message=Scheduled task has reported an event.
Task ID: 089546a0-3a4b-4b66-9e4e-43bc9a1f48a6
Object name: Exo-Process-Changes
Start date: 12/10/2019
Start time: 7:40:00 AM
Script module: Exo-Process-Changes
Task execution was completed
And want to get that very last line, and put it in a "task_status" field.
This is my RegEx (well.. one of 20 I tried)
Script module: .*[\n\s\r]*(?<task_status>[^\n\r]*)
So I'm basically looking for that "Script module:" line, and want to take the next line that comes after the line breaks and white spaces.
I used a similar, yet more complex RegEx to extract multiple fields from a different event log, and that worked fine. So I don't get what's wrong with this one.
Just using the field extractor wizard would be great, too, but it seems that my events are longer (line count) than the field extractor can work with.
Thanks in advance
If you use the Message field I believe the linefeeds will be removed, but just case you can insert the multiline regex modifier (?m)
at the beginning of your rex extraction. Try this:
rex field=Message "(?m)Script module:\s*[^\s]+\s*(?<status>.*)"
If I understand correctly, you want to capture both the text after the Script Module, and the text line after that. Here is one way to do it:
(your search)
| rex "Script module: (?<scriptModule>.*)\W\W\W\s(?<lastLine>[\W\w]+)$"
Here is the regex101: https://regex101.com/r/YpqNbx/1
thank you - I was not looking for the script module line, but it works as you specify and I'll keep that in my notes
If you use the Message field I believe the linefeeds will be removed, but just case you can insert the multiline regex modifier (?m)
at the beginning of your rex extraction. Try this:
rex field=Message "(?m)Script module:\s*[^\s]+\s*(?<status>.*)"
thanks - that works
testing back and forth and the (?m) does not seem to be required - but with or without, your rex works