Hi Team,
I want to extract the values like left side(LABEL on of the fileds) all fields and values should take from all the logs.
LABEL = SRC_RSTRT , SRC_RSTRS, GBLRESRM_MONITOR_TI
LABEL: SRC_RSTRT
IDENTIFIER: CB4A951F
Date/Time: Fri Sep 29 16:20:02 EDT 2017
Sequence Number: 192161
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: S
Type: INFO
WPAR: Global
Resource Name: SRC
LABEL: SRC_RSTRS
IDENTIFIER: CB4A951F
Date/Time: Wed Sep 27 06:51:00 EDT 2017
Sequence Number: 192160
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: S
Type: INFO
WPAR: Global
Resource Name: SRC
LABEL: GBLRESRM_MONITOR_TI
IDENTIFIER: 87EB4A70
Date/Time: Mon Sep 25 02:21:03 EDT 2017
Sequence Number: 192159
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: O
Type: PERM
WPAR: Global
Resource Name: GblResRM
hey try this:
<base search>|rex field=_raw "LABEL:\s(?<LABEL>\w+)"
Try this run anywhere search:
|makeresults|eval raw="LABEL: SRC_RSTRT
IDENTIFIER: CB4A951F
Date/Time: Fri Sep 29 16:20:02 EDT 2017
Sequence Number: 192161
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: S
Type: INFO
WPAR: Global
Resource Name: SRC "|rex field=raw "LABEL:\s(?<LABEL>\w+)"
Hope this helps!
Hi ,
I tried the below search query but still field is not created
index=test sourcetype=errorlog |rex field=raw "LABEL:\s(?\w+)"
instead of raw
write _raw
same error for that also.
index=test sourcetype=errorlog |rex field=_raw "LABEL:\s(?\w+)"
Error in 'rex' command: Encountered the following error while compiling the regex 'LABEL:\s(?\w+)': Regex: unrecognized character after (? or (?-
hey have you tried this:
index=test sourcetype=errorlog |rex field=_raw "LABEL:\s(?<LABEL>\w+)"