I have these btool logs:
10-29-2013 09:15:34.551 INFO AdminManager - added factory for admin handler: 'licenses'
10-29-2013 09:15:34.551 DEBUG AdminManager - Found path '/opt/splunk/etc/apps/search/bin' for handler 'sendemail'.
29-2013 09:15:34.551 DEBUG HTTPRestDispatcher - loadConfig for masterlm _isProServer=1
When I do the automated extraction if looks like this:
(?i) DEBUG (?P<FIELDNAME>[^ ]+)
This does not find the valus followed by INFO. How could I right this so it is not dependent on the word "DEBUG"
Hello
try this:
(?i) (DEBUG|INFO) (?P<FIELDNAME>[^ ]+)
And add with pipes any other severity values you would like to capture
regards
Hello
try this:
(?i) (DEBUG|INFO) (?P<FIELDNAME>[^ ]+)
And add with pipes any other severity values you would like to capture
regards
Thanks again for the help.
I should have put in the things I tried at the beginning.
I tried (?i) \w+ (?P<fieldname>[^ ]+)
and this (?i) \w+\s (?P<fieldname>[^ ]+)
and this (?i)\w+\s(?P<fieldname>[^ ]+)\s\-\s
then use this:
(?i) \w+ (?P<FIELDNAME>[^ ]+)
There is a "\" before the w+
Right Thanks, I did think of doing this but what if there is a WARN or ERROR. I didn't want to put (DEBUG|ERROR|WARN|INFO) I was hoping for a more elegant way to right it.