Hello,
Can someone help me to build a table report by extracting 3 fields from a comma separated log:
Here's a log example:
2017-05-03 13:30:36 User.Error 10.40.11.241 2017-05-03 17:30:35,987, , audit.runtime.com.rsa.authmgr.internal.protocol.ace.AuthV4RequestHandler, ERROR, eec1c356f110280a7888f02ad5a2b3e9,1336c44ff110280a0801a35a997a135e,10.40.11.11,10.40.16.241,AUTH_PRINCIPAL_RESOLUTION,23008,FAIL,AUTH_RESOLUTION_FAILED_BY_ID_ALIAS,,,,,ptr555,,,1c0931660610330a1a1eb51b527f5700,000000000000000000001000e0011000,10.40.18.73,njx-domain..net,1,,,,,,,1,,,,,,,,
desired result would be a table with a result:
ptr555|FAIL|AUTH_RESOLUTION_FAILED_BY_ID_ALIAS
Thanks!
Assuming that any one of the fills could have values, but non having an embedded comma, this should work to get your three fields:
_your_search_ | rex "^([^,]*?,){11}(?P<a>[^,]+),(?P<b>[^,]*),([^,]*?,){4}(?P<c>[^,]+)," | table c, a, b
Try this out and see if you get the fields the way you want them. It worked for me with the one line example data you included. I don't know what your table headings would be, so I just used a, b and c. You can change that for your search.