01-12-2018 23:41:12.856 +0000 INFO eod-hhh=5 eod-kkk=7 eod-lllll=88 eod-kaskas=898
01-12-2018 23:41:12.773 +0000 INFO eod-hhh=11 eod-kkk=44 eod-lllll=213123 eod-kaskas=2122 eod-llass=99
I have logs like the above. I want all values after eod- to grouped into one field.
01-12-2018 23:41:12.856 +0000 INFO eod-hhh=5 eod-kkk=7 eod-lllll=88 eod-kaskas=898
i should get hhh kkk llll kaskas as one value
01-12-2018 23:41:12.773 +0000 INFO eod-hhh=11 eod-kkk=44 eod-lllll=213123 eod-kaskas=2122 eod-llass=99
i should get hhh kkk llll kaskas llass as one value
@nawazns5038, try the following rex command:
| rex "eod-(?<eod>[^\=]+)\=" max_match=0
Following is the run anywhere example for the sample data provided:
| makeresults
| eval _raw="01-12-2018 23:41:12.856 +0000 INFO eod-hhh=5 eod-kkk=7 eod-lllll=88 eod-kaskas=898"
| append [| makeresults
| eval _raw="01-12-2018 23:41:12.773 +0000 INFO eod-hhh=11 eod-kkk=44 eod-lllll=213123 eod-kaskas=2122 eod-llass=99"]
| rex "eod-(?<eod>[^\=]+)\=" max_match=0
@nawazns5038, try the following rex command:
| rex "eod-(?<eod>[^\=]+)\=" max_match=0
Following is the run anywhere example for the sample data provided:
| makeresults
| eval _raw="01-12-2018 23:41:12.856 +0000 INFO eod-hhh=5 eod-kkk=7 eod-lllll=88 eod-kaskas=898"
| append [| makeresults
| eval _raw="01-12-2018 23:41:12.773 +0000 INFO eod-hhh=11 eod-kkk=44 eod-lllll=213123 eod-kaskas=2122 eod-llass=99"]
| rex "eod-(?<eod>[^\=]+)\=" max_match=0