I've got this search index=main sourcetype="bigfix"
| eval raw=_raw
| rex mode=sed field=raw "s/\n/ /g"
| rex field=raw "At \d+:\d+:\d+\s+-0800\s+-(?<message>.*)"
| rex field=message "^(?<message_type>[^:]+):\s"
| eval message_type_ns=replace(message_type, " ", "")
| eval x_message_type=if(message_type == message_type_ns, message_type, "No message type")
| stats count by message_type, message_type_ns, x_message_type That doesn't appear to be working correctly. I'm always getting either all true or all false. This is the output. "message_type","message_type_ns","x_message_type",count
" ActionLogMessage",ActionLogMessage,"No message type",240
" ActiveDirectory",ActiveDirectory,"No message type",128
" Client has an AuthenticationCertificate Relay selected",ClienthasanAuthenticationCertificateRelayselected,"No message type",2
" Client shutdown (Service manager shutdown request) ******************************************** Current Date","Clientshutdown(Servicemanagershutdownrequest)********************************************CurrentDate","No message type",3
" Encryption",Encryption,"No message type",11
" Initializing Site",InitializingSite,"No message type",43
" PollForCommands",PollForCommands,"No message type",13
" Processing fixlet site. ******************************************** Current Date","Processingfixletsite.********************************************CurrentDate","No message type",1
" RegisterOnce",RegisterOnce,"No message type",149
" Report posted successfully ******************************************** Current Date","Reportpostedsuccessfully********************************************CurrentDate","No message type",1
" Restricted mode Initializing Site",RestrictedmodeInitializingSite,"No message type",3
" User interface process disabled for user 'user' ActiveDirectory","Userinterfaceprocessdisabledforuser'user'ActiveDirectory","No message type",1
" User interface process disabled for user 'user' ActiveDirectory","Userinterfaceprocessdisabledforuser'user'ActiveDirectory","No message type",1
" User interface session ended for user 'user' User interface session ended for user 'user' ******************************************** Current Date","Userinterfacesessionendedforuser'user'Userinterfacesessionendedforuser'user'********************************************CurrentDate","No message type",1
" User interface session ended for user 'user' ActiveDirectory","Userinterfacesessionendedforuser'user'ActiveDirectory","No message type",1
" User interface session ended for user 'user' ******************************************** Current Date","Userinterfacesessionendedforuser'user'********************************************CurrentDate","No message type",1 When I try this simple case, it works. | makeresults
| eval string_a="Client shutdown (Service manager shutdown request) ******************************************** Current Date"
| eval string_b="Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date"
| eval my_string=if(string_a == string_b, string_a, string_b) And the output _time my_string string_a string_b
2023-12-07 10:14:17 Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date Client shutdown (Service manager shutdown request) ******************************************** Current Date Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date What I'm trying to do is find these At 09:01:45 -0800 -
Encryption: optional encryption with no certificate; reports in cleartext The above would have message_type=Encryption. This example At 09:00:39 -0800 -
Starting client version xx.yy.zz.aa
FIPS mode disabled by default.
Cryptographic module initialized successfully.
Using crypto library libBEScrypto - OpenSSL would have message_type="No message type". I've tried using colon (:), but there are messages with embedded colons. Any thoughts on how to solve this are appreciated. TIA, Joe
... View more