here is a small piece of an event in my log:
;GET.SVC.INFO 01-25-17 404<
it starts with a semi-colon and contains the text GET.SVC.INFO a space and then the data formatted as mm-dd-yy and then a space followed by the user id which in this case is 404 followed by an ampsersand lt and an ending semi-colon
I would like to extract the user id at index time as a field name myuserid
thanks
Assuming your userid is only word characters, this should work.
INFO\s\d+\-\d+\-\d+\s\d+\<(?<myuserid>\w+)
Assuming you need a CO and don't want to bump the service.. You should go to Extract New Fields
on the left under Selected Fields
, I'd prefer to write my own regular expression
and enter in the regex above. Preview the extractions then save
Assuming your userid is only word characters, this should work.
INFO\s\d+\-\d+\-\d+\s\d+\<(?<myuserid>\w+)
Assuming you need a CO and don't want to bump the service.. You should go to Extract New Fields
on the left under Selected Fields
, I'd prefer to write my own regular expression
and enter in the regex above. Preview the extractions then save