Please find the below events. I want to extract the field which will have Error, Warning, info and error. Let me know how should I extract it , thanks
IB_FICC_IRD_1110_ASIA_FOLIOS NLDN7936PAP 2016-08-02 15:06:02: Exit state is Error. Returning with exit code 1.
IB_FICC_IRD_1110_AVI_PAYMENTS_APAC_MOVE_TLM 2016-08-02 15:02:02: Exit state is Warning. Returning with exit code 0
IB_FICC_IRD_1110_LIGHTSTRT_FOLIOS NLDN7934PAP 2016-08-02 07:09:02: Exit state is Warning. Returning with exit code 0.
IB_FICC_IRD_1110_LDNX_FOLIOS NLDN7934PAP 2016-08-02 07:07:42: Exit state is Warning. Returning with exit code 0.
IB_FICC_IRD_1110_LDNO_FOLIOS NLDN7934PAP 2016-08-02 07:06:52: Exit state is Warning. Returning with exit code 0.
IB_FICC_OBS_2004_MIS_Panther_EURO_2603mac [Wed 03 Aug 07:03:31 2016] [info] Execution completed for 2603mac
IB_FICC_OBS_2004_MIS_Report_EURO_2604mac [Wed 03 Aug 07:03:31 2016] [info] Execution completed for 2604mac
IB_FICC_OBS_2004_MIS_Panther_EURO_2602mac [Wed 03 Aug 07:03:31 2016] [info] Execution completed for 2602mac
IB_FICC_OBS_2004_MIS_Panther_EURO_2601mac [Wed 03 Aug 07:03:31 2016] [info] Execution completed for 2601mac
Try this:
| rex field=YourField "(?msi)(Exit state is (?<State1>\w+)|\[(?<State2>\w+)\] Execution completed)"
| eval State = coalesce(State1, State2)
| fields - State1, State2
Example:
| stats count | fields - count
| eval _raw = "
IB_FICC_IRD_1110_ASIA_FOLIOS NLDN7936PAP 2016-08-02 15:06:02: Exit state is Error. Returning with exit code 1.
IB_FICC_IRD_1110_AVI_PAYMENTS_APAC_MOVE_TLM 2016-08-02 15:02:02: Exit state is Warning. Returning with exit code 0
IB_FICC_IRD_1110_LIGHTSTRT_FOLIOS NLDN7934PAP 2016-08-02 07:09:02: Exit state is Warning. Returning with exit code 0.
IB_FICC_IRD_1110_LDNX_FOLIOS NLDN7934PAP 2016-08-02 07:07:42: Exit state is Warning. Returning with exit code 0.
IB_FICC_IRD_1110_LDNO_FOLIOS NLDN7934PAP 2016-08-02 07:06:52: Exit state is Warning. Returning with exit code 0.
IB_FICC_OBS_2004_MIS_Panther_EURO_2603mac [Wed 03 Aug 07:03:31 2016] [info] Execution completed for 2603mac
IB_FICC_OBS_2004_MIS_Report_EURO_2604mac [Wed 03 Aug 07:03:31 2016] [info] Execution completed for 2604mac
IB_FICC_OBS_2004_MIS_Panther_EURO_2602mac [Wed 03 Aug 07:03:31 2016] [info] Execution completed for 2602mac
IB_FICC_OBS_2004_MIS_Panther_EURO_2601mac [Wed 03 Aug 07:03:31 2016] [info] Execution completed for 2601mac
"
| rex field=_raw max_match=0 "(?<raw>[^\n]+)"
| mvexpand raw
| fields - _raw
| rex field=raw "(?msi)(Exit state is (?<State1>\w+)|\[(?<State2>\w+)\] Execution completed)"
| eval State = coalesce(State1, State2)
| fields - State1, State2
Output: see picture below
Try this regex in your props.
[<spec>]
EXTRACT-<class> = (?<status>[Ee]rror|Warning|[Ii]nfo)