sample event:
fullFormattedMessage: Device naa.60000970000297500017533030313231 performance has improved. I/O latency reduced from 3746 microseconds to 1859 microseconds.
Required field is in bold.
Hi,
try this
| makeresults | eval str="Device naa.60000970000297500017533030313231 performance has improved. I/O latency reduced from 3746 microseconds to 1859 microseconds"
| rex field=str "microseconds to (?<value>\d+) microseconds"
Hi,
try this
| makeresults | eval str="Device naa.60000970000297500017533030313231 performance has improved. I/O latency reduced from 3746 microseconds to 1859 microseconds"
| rex field=str "microseconds to (?<value>\d+) microseconds"
Hi @harshal94 ,
If the format of the string going to be same, then you can use split also (much easier)
|stats count|eval xyz="fullFormattedMessage: Device naa.60000970000297500017533030313231 performance has improved. I/O latency reduced from 3746 microseconds to 1859 microseconds."|eval splitted=split(xyz," ")|eval micsecs=mvindex(splitted,mvcount(splitted)-2)