I would like to perform field extraction from an unstructured event.
I am unable to perform the field extraction from FX, as the event size is so big and it's not completely visible. On top of that, most events do not have a standard structure.
I am able to extract the required field using | rex (?<test1_status>"Running")
.
But when I used the same rex in the following search, it's not giving me the required results as the results are getting filtered by the rex.
Please let me know a way to incorporate this rex in props.conf and/or improve the following search.
Additionally, I think the rex in this search will not get the accurate results as both of them are trying to extract same value Running
from two source types.
index="test1" (sourcetype="stype1" OR sourcetype="stype2")
| rex (?<test1_status>"Running")
| rex (?<test2_status>"Running")
| stats latest(*_status) as *_status by sourcetype
| stats values(*_status) as *_status
| eval running_ok = if(test1_status="Running" AND test2="Running", 0, 1)
| eval final = if(running_ok=0, 0, 1)
|table running_ok final
See if this query gives you the desired results
index="test1" (sourcetype="stype1" OR sourcetype="stype2")
| rex "(?<status>Running)"
| fillnull value="Not Running" status
| stats latest(status) as status by sourcetype
| eval running_ok = if(stype1="Running" AND stype2="Running", 0, 1)
| eval final=running_ok
| table running_ok final
Please share a sample event.