I have below text and i need to extract "Successfully Sent" FTP Ipaddress and store number. I could extract first portion post which it is not working.
index="biztalk_idx" sourcetype="biztalk"|dedup Description|table Description|rex field=Description "(?<ExecutionStart>.* starting to execute)"|rex field=Description "(?<SendSales>Sending sales.*)"|rex field=Description "(?<SuccessSent>SUCCESSFULLY sent\s\w+)"
"Message SUCCESSFULLY sent to FTP ftp://10.23.18.8:21/Foljesedel_171026152046_135060.xml for store: S135060."
Also for extracting different fields from different values, do we have to add rex command each time or is there any other better way?
Can someone please help. Thanks!
@k_harini, based on the sample data provided, please try the following to use rex
to extract ftp_address
and store_no
fields.
| rex field=Description "Message SUCCESSFULLY sent to FTP (?<ftp_address>ftp:\/\/[^\/]+)\/.*\sfor\sstore:\s(?<store_no>[^\.]+)\."
Please use regex101.com for testing regular expression with your sample data. Following is run anywhere search based on your sample data:
| makeresults
| eval Description="Message SUCCESSFULLY sent to FTP ftp://10.23.18.8:21/Foljesedel_171026152046_135060.xml for store: S135060."
| rex field=Description "Message SUCCESSFULLY sent to FTP (?<ftp_address>ftp:\/\/[^\/]+)\/.*\sfor\sstore:\s(?<store_no>[^\.]+)\."
@k_harini, based on the sample data provided, please try the following to use rex
to extract ftp_address
and store_no
fields.
| rex field=Description "Message SUCCESSFULLY sent to FTP (?<ftp_address>ftp:\/\/[^\/]+)\/.*\sfor\sstore:\s(?<store_no>[^\.]+)\."
Please use regex101.com for testing regular expression with your sample data. Following is run anywhere search based on your sample data:
| makeresults
| eval Description="Message SUCCESSFULLY sent to FTP ftp://10.23.18.8:21/Foljesedel_171026152046_135060.xml for store: S135060."
| rex field=Description "Message SUCCESSFULLY sent to FTP (?<ftp_address>ftp:\/\/[^\/]+)\/.*\sfor\sstore:\s(?<store_no>[^\.]+)\."
Thanks for your help