Expecting output like below:

thanks for sharing the command but, it is giving below error.

"Error in 'rex' command: Encountered the following error while compiling the regex 'Client:s'(?[^']+).*Volume'(?[^']+)': Regex: unrecognized character after (? or (?- "

I just tested this and get the desired results. Test this and let me know if you get the same error. This time I entered it as a code sample... Learn something new everyday 🙂

index=* | head 1 | eval s="Nov 2 18:44:02 netapp-master9.bkp.bf1.yahoo.com NetVault[2655]: NetVault: Client: 'netapp_master9_bkp_bf1' Class: 'Data Plugin' Job: '21483' Warnlevel: 'Error' Msg: 'NDMP: ERROR 1: DATA: Operation terminated: Backup of non-local Volume '/use71-mobstor-bf1/vol070' not supported (for /use71-mobstor-bf1/vol070)'" | rex field=s "Client:\s'(?<client>[^']+).*Volume\s+'(?<volume>[^']+)" | dedup volume | table s client volume

yes it is displaying client and volume in a table format when i run above command that is awesome, but when i try to run this command non-local Volume host="netapp-master9.bkp.bf1.yahoo.com" | rex field=s "Client:\s'(?[^']+).*Volume\s+'(?[^']+)" | dedup volume | table client volume

it is giving error "No Results Found", i am also trying to do modifications on syntax. Yes learning something new is always excited 🙂

Thanks,
Ram

Hurray i got it, thank you very much for your guidance finally i got the output what i am looking for.

non-local Volume host="netapp-master9.bkp.bf1.yahoo.com" | rex "Client:\s'(?[^']+).*Volume\s+'(?[^']+)" | dedup volume | table client volume

No they are not extracted fields, i need to fetch those using regex. I have tried below command but its giving error.
"Error in 'rex' command: Encountered the following error while compiling the regex 'Client:s'(?[^']+).*Volume'(?[^']+)': Regex: unrecognized character after (? or (?- "

| rex "Client:s'(?[^']+).*Volumes'(?[^']+)" | dedup volume | table client volume