LogName=Application
SourceName=Oracle
EventCode=0
EventType=2
Type=Error
ComputerName=server1.xxx.ds.abcde.com
TaskCategory=%1
OpCode=Info
RecordNumber=5143664
Keywords=Classic
Message=Log: Oracle
Source: INTERFACES
Level: Error
Subject:
Object reference not set to an instance of an object.
Created On (UTC): 6/26/2017 3:03:03 PM
Created On (Local Machine): 6/26/2017 11:03:03 AM
I want to extract only the Subject Field.
Hi,
(?:Subject\:)(?:[\r\n]{2})(?<Subject>.+)(?:[\r\n]{2})(?=Created)
or
(?:Subject\:)(?:[\r\n]{2})(?<Subject>.+)
Both work.
https://regex101.com/r/wcPRgS/1
Also as splunk syntax:
| rex field=_raw "(?:Subject\:)(?:[\r\n]{2})(?<Subject>.+)"
PS:
woodcock-style: MY ANSWER IS THE BEST ANSWER ON THIS SITE. ONLY MY ANSWER IS CORRECT. I NEED KARMA MORE THAN ANYBODY. LIKE, SHARE AND SUBSCRIBE AND ALSO ACCEPT. THANKS! 😆
I tried the above regex, none of them extracts the fields. My main aim is to extract a new field called Subject from the event logs.