I am using the following query:
index=itx "PAD =" | dedup BOC | spath output=Channel path=AsRunMessage.Header.Channel | table BOC, channel
which results in events with big XML content .. I need to extract the string "ITX1546" from inside the tags.
Also, I need to create a table with distinct rows containing unique BOC values.
The Channel field is not being populated.
Here is the XML structure:
Any ideas? Thank you
found my own answer.. .rex "]+>(?[^<]+)"
rex "<Channel [^>]+>(?<Channel>[^<]+)"