Log - (given 2 lines for example)
2017/02/21 03:46:12.119-0800 [http-bio-8480-exec-3] C3AF4B3F9C2E40D2006D1513C81191A6.pppxwbtect014 INFO c.e.c.w.b.r.ShirtsSaleResource - #xHoster# #**res_ShirtServiceTosite**# ShirtsSaleResource.getLossier , URI -> /{1856659} , Time taken to get JSON -> **58** milliseconds
2017/02/21 03:46:08.489-0800 [http-bio-8480-exec-2] 82F757837394C2E950AEB9A47043DD61.pppxwbtect010 INFO c.e.c.p.m.i.CmppRestClientImpl - #xHoster# #**res_CmppToShirtService**# CmppRestClientImpl.prepareChange , URI -> http://ppp-Shirteu.ch.expeso.com:52008/order/PrepareChange , Time taken to get XML response -> **178** milliseconds
Expected output :
Field1 Field2
res_ShirtServiceToSite 58
res_CmppToShirtService 178
I tried :
index=app source=/var/log* "#xHoster#" | rex field=_raw res_(?.*)# | rex field=_raw .\-\>\s(?.*)\smilliseconds |table ptype,ptime
@pingdpk - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!
Here's my RegEx:
(?P<ptype>res_\w+).*\*\*(?P<ptime>\d+)
How about this:
rex field=_raw "(?res_[^*]+)" | rex field=_raw "\*(?\d+)"
How about this
index=app source=/var/log* "#xHoster#"
| rex field=_raw "#(?<ptype>res_[^#]+)#.+\-\>\s*(?<ptime>\d+)\s*milliseconds"
| table ptype ptime
I came up with \*\*(?<ptype>res_[^\*]+)\*\*.*?\*\*(?<ptime>\d+)\*\*