Hi ,
I have below string and need to extract field after HCM5250: and before .
Also, while doing search need to consider 65.
Both response Code and responseMessage written on separate lines
65
updateContractTxnAccount Failed - update HCM5250:AD1218494460121708
For e.g:
index=mylog "65" AND "updateContractTxnAccount Failed - update HCM5250:" |rex
Not sure how to get exact rex here . Appreciate your help !!
Thanks ,
Harish
Below is my exact input stings out of which I need to extract only "AD1218494460121708" which is txn account number..All transaction a/c I need to extract from log
harishnpandey,
Did you mean to post the actual sample event?
If your event will have HCM5250 always, then:
rex "<responseCode>(?P<responseCode>\d+)[\s\S]+HCM5250:(?P<responseMessage>[^<]+)<"
or
rex "<responseCode>(?P<responseCode>\d+)[\s\S]+HCM5250:(?P<responseMessage>\w+)<"
Given the data as shown, either of these should work. If your data for the message is more generic, but you want the : to the end of the XML field, then try:
rex "<responseCode>(?P<responseCode>\d+)[\s\S]+<responseMessage>[^<]*?:(?P<responseMessage>[^<]+)<"
Here is the rex you need if you only need the last part of the responseMessage:
rex "<responseMessage>[^<]*?:(?P<fieldToBeExtracted_callMeWhatYouWant>[^<]+)<"
That should extract everything from after the colon (:) on to the end of the field.
<responseCode>65</responseCode>
<responseMessage>updateContractTxnAccount Failed - update HCM5250:AD1218494460121708</responseMessage>
Is this an actual sample event you pasted here?