I have a line that contains 2 different fields that I need
Right now I have:
index=os sourcetype="xxx" | regex _raw="\d tests, \d assertions, \d failures, \d errors"
Which returns for example:
2 tests, 2 assertions, 0 failures, 0 errors
How can I extract the fields tests and failures? would it be possible?
regex
filters results, use rex
to extract fields in a search: http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/rex
Can you post some sample logs? Based on that people will be able to help you with field extractions.
regex
filters results, use rex
to extract fields in a search: http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/rex
I'm guessing this:
... | rex "(?<tests>\d+) tests, (?<assertions>\d+) assertions, (?<failures>\d+) failures, (?<errors>\d+) errors"
However, without seeing your actual events that's only that, a guess.
the number actually comes before \d tests
can you post how we can do it with rex, I'm still struggling