Hey Guys,
Here are a few examples of the logs that we have. I am having trouble grabbing from the last bracket ] to the end in each log file over with a rex.
Thank you
Aug 28 10:21:26 chtr990.company.com Aug 28 14:21:26 Vpxa: [2012-08-28 14:21:26.151 17CBFB90 verbose 'App'] Set internal stats for VM: 31 (vpxa VM id), 1625 (vpxd VM id). Is FT primary? 0
Aug 28 10:21:26 chtr990.company.com Aug 28 14:21:26 Vpxa: [2012-08-28 14:21:26.094 17E45B90 verbose 'App'] [VpxaInvtVmChangeListener] Guest DiskInfo Changed
Aug 28 10:21:26 chtr990.company.com Aug 28 14:21:26 Vpxa: [2012-08-28 14:21:26.094 17E45B90 verbose 'App'] [VpxaHalServices] VmGuestDiskChange Event for vm(203) 3248
Aug 28 10:21:26 chtr990.company.com Aug 28 14:21:26 Vpxa: [2012-08-28 14:21:26.093 17E45B90 verbose 'App'] [VpxaHalVmHostagent] 3248: GuestInfo changed 'guest.disk'
Aug 28 10:21:26 chtr990.company.com Aug 28 14:21:26 Vpxa: [2012-08-28 14:21:26.093 17E45B90 verbose 'VpxaHalCnxHostagent'] [VpxaHalCnxHostagent::ProcessUpdate] Applying updates from 3213921 to 3213922 (at 3213921)
This ought to work.
... | rex "\]\s(?<msg>.*?)\s*$"
or if that's too greedy, try
... | rex "\]\s(?<msg>[^\]]*?)\s*$"
The new field will be called msg
and contain everything from the last ending square bracket to the end-of-line.
/k
This ought to work.
... | rex "\]\s(?<msg>.*?)\s*$"
or if that's too greedy, try
... | rex "\]\s(?<msg>[^\]]*?)\s*$"
The new field will be called msg
and contain everything from the last ending square bracket to the end-of-line.
/k
updated with a less greedy variant /k
Any suggestions???