I have a log mentioned below:
ERROR: Cannot retrieve requested details in 103 ms cause: [50000] ERROR: Building profile failed in 103 ms cause: [000026] ERROR: Cannot build requested profile in 99 ms cause: [5100007] ERROR: Cannot get details for ID : [[ ID ]] cause: Retrieve details failure cause:
I need to extract the string that starts from 1st "ERROR:" to 2nd "cause:" word.
I am using rex field=_raw "(?ERROR.*)cause:"
It is giving me complete string till the last cause. Can you help me with rex to stop at 2nd cause:
Expected result:
ERROR: Cannot retrieve requested details in 103 ms cause: [50000] ERROR: Building profile failed in 103 ms
Hi Nadal7noval,
You can try below:
(?<ERROR>(ERROR:.+?){2})(?=cause\:\s\[)
OR
(?<ERROR>(ERROR:.+?){2})(?=cause\:)
Hi Nadal7noval,
try this
(?<ERROR>(ERROR:.*cause:\s\[\d+\]\s+){2})
or
| rex "(?<ERROR>(ERROR:.*cause:\s\[\d+\]\s+){2})"
test it at https://regex101.com/r/rrhW1y/1
Bye.
Giuseppe