I have a log file containing information logged in the below format:
Response Received from ABC service for Submit
The following response has been received from XYZ for Submit
and so on.
I am interested in the values ABC , XYZ etc . SO I want to extract these values to a single field say Field1.
How can I do this?
The approach I think is cleanest (at least to my eyes) is to write these as separate extractions then merge them in your search. This trick is borrowed from lguinn's excellent answer to a related question here
yoursearchhere |
eval output = field1 + ";" + field2 |
makemv delim=";" output |
mvexpand output
Just make sure that your fields won't contain semicolons, if so, pick a different delim.
Are those two separate events or one event that you are extracting the ABC and XYZ from?
If it's two separate events, you can easily use an "or" in your regex to look for two different patterns. Try this:
<base search> | rex "(Response Received from|has been received from) (?P<my_field>[^\s]+)( service)? for Submit$"
This basically looks for either "Response Received from" or "has been received from" before capturing your field, and looks for "for Submit" after the capture. Note that the "$" anchors the "for Submit" to the end of the event, you may want to skip that if the above were shortened examples of your events.
Technically because your two events are so similar it would be simpler to do a simpler rex:
<base search> | rex "(?P<my_field>[^\s]+)( service)? for Submit$"
Because in both your cases, the value is followed by "for Submit" or "service for Submit" it really doesn't matter what comes before it.
Hope this helps