2015-05-01 07:33 - [User Login] | Name#ID | 'John#11' | :User name: 'John', ID: '11' successfully logged in
2015-05-02 17:07 - [Search] | Name#ID | 'Sue#222' | :Estimated time | '2,06ms' |, Result count | '23' |, Search Terms | '{"Type":"ALL","Tag":[],"sn":"","searchEndDate":null,"Query":"storm","searchStartDate":1428249600000}' |
2015-08-01 07:33 - [User Login] | Name#ID#Dept | 'Jim#333#ENG1' | :User name: 'Jim', ID: '333' successfully logged in
2015-08-03 09:18 - [Edit] | Name#ID#Dept | 'Tom#3333#ENG2' | :Announcement 'Maintenance' updated successfully.
I have a mixture of rows that contain Name#ID and Name#ID#Dept in a log file. For lines that do not contain Dept, I will have to look up to a CSV file. Otherwise, I will need to extract the Dept from the line.
I only know how to deal with Name#ID or Name#ID#Dept rows separately using the following search queries to extract the Name, ID and Dept:
... | rex "[^\[]*\[(?<Action>[^\]]*)\].*Name#ID \| '(?<Name>[^#]*)#(?<ID>[^']*)" | lookup LKUP.csv ID output Dept
... | rex "[^\[]*\[(?<Action>[^\]]*)\].*Name#ID#Dept \| '(?<Name>[^#]*)#(?<ID>[^']*)#(?<Dept>[^']*)"
Is there anyway to formulate a search query to combine the above-listed queries?
Because lookups do not overwrite fields by default, you can do it like this:
... | rex "[^\[]*\[(?<Action>[^\]]*)\].*Name#ID#Dept \| '(?<Name>[^#]*)#(?<ID>[^']*)(?:#(?<Dept>[^']*))?" | lookup LKUP.csv ID output Dept
Because lookups do not overwrite fields by default, you can do it like this:
... | rex "[^\[]*\[(?<Action>[^\]]*)\].*Name#ID#Dept \| '(?<Name>[^#]*)#(?<ID>[^']*)(?:#(?<Dept>[^']*))?" | lookup LKUP.csv ID output Dept