I'm trying to write a field extraction to get the number of hung threads on a WebSphere application server. The log statement looks something like:
[6/15/14 11:07:37:103 CDT] 00000003 ThreadMonitor W WSVR0605W: Thread "WebContainer : 21" (000000a3) has been active for 729415 milliseconds and may be hung. There is/are 3 thread(s) in total in the server that may be hung.
I want to key in on the following section: There is/are **3* thread(s)*
If I pipe search results into the rex, the value is successfully extracted into a field called hung_thread_count:
<search criteria> | rex field=_raw \sThere is\/are \(?<hung_thread_count>.*?\) thread"
However, when I manually enter the regex into the interactive field explorer no matches are found when I hit the "test" button...do I have to enter something specific to extract this value into a field?
you are missing double quoted and they are too many escape characters in the regex, especially on the matching parenthesis.
try
... | rex field=_raw "There is\/are (?<hung_thread_count>\d+) thread"
you are missing double quoted and they are too many escape characters in the regex, especially on the matching parenthesis.
try
... | rex field=_raw "There is\/are (?<hung_thread_count>\d+) thread"