Hi,
I have data that looks like this
####<Sep 15, 2016 9:35:27 AM CDT> <Debug> <ucontrol> <betamax-cpe1> <managedServer1> <client-8> <<anonymous>> <> <> <1473950127749> <BEA-000000> <org.jivesoftware.util.Log - SENT: <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>>
####<Sep 15, 2016 10:18:53 AM CDT> <Warning> <ucontrol> <betamax-cpe1> <managedServer1> <smsQueueListenerContainer-1> <<anonymous>> <BEA1-35C7B98CDE9F> <> <1473952733478> <BEA-000000> <fn.service.impl.NumerexSmsSender - UCE-22233 - Failed to send Numerex sms message to 5555555555>
####<Sep 15, 2016 10:11:46 AM CDT> <Warning> <ucontrol> <betamax-portal1> <managedServer3> <[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1473952306182> <BEA-000000> <fn.webapp.listener.AuthenticationListener - Authentication Auditing Failed: AuthenticationFailureBadCredentialsEvent>
What I need to do is search on a failure but the failure condition is presented in several ways (i.e. failed: OR failed; OR failed, OR failed. OR <failure
What I need to do is match on failed* OR <failure
and then capture to the end of the line.
Still rather new to regex so I'm unsure how to do wildcard matching
Hi @dbcase - Just so you know, I edited your original question to include your revised/correct last sentence instead of having it as a floating comment 🙂
Try this
... | rex "\b(?<failmsg>[Ff]ail.*)"
I have no idea how you do regex so eloquently.... Maybe one day I can do the same.... 🙂
... | rex "<?[fF]ail[eu][dr]?e?[:;,. ](?<failure_code>.*)"
Something like this, perhaps?
... | rex "fail\w*\s*(?<failureMsg>.*)" | ...
Please check this -
sourcetype=failure | rex field=_raw "<?[fF]ail[eu][dr]?e?[:;,. ](?<failedCode>.*)" | table failedCode _time _raw