Hi ,
I need to extract multiple lines of raw log into a message field
example raw log:
timestamp : The decision about what to put into your paragraphs begins with the germination of a seed of ideas; this “germination process” is better known as brainstorming. There are many techniques for brainstorming; whichever one you choose, this stage of paragraph development cannot be skipped. Building paragraphs can be like building a skyscraper: there must be a well-planned foundation that supports what you are building. Any cracks, inconsistencies, or other corruptions of the foundation can cause your whole paper to crumble.
So, let’s suppose that you have done some brainstorming to develop your thesis. What else should you keep in mind as you begin to create paragraphs? Every paragraph in a paper should be:
Unified: All of the sentences in a single paragraph should be related to a single controlling idea (often expressed in the topic sentence of the paragraph).
Clearly related to the thesis: The sentences should all refer to the central idea, or thesis, of the paper (Rosen and Behrens 119).
Coherent: The sentences should be arranged in a logical manner and should follow a definite plan for development (Rosen and Behrens 119).
Now I want to extract the bold content from raw log . How to do this in Search Head ?
Thank you 🙂
Hi raj_mpl,
This may help:
<your search> | rex "(?ms)^Unified: (?P<para>.+)Coherent: "
Thanks @p_gurav for your reply on this , Yes it worked but what will be the regular expression if my event is like below
timestamp : The decision about what to put into your paragraphs begins with the germination of a seed of ideas; this “germination process” is better known as brainstorming. There are many techniques for brainstorming; whichever one you choose, this stage of paragraph development cannot be skipped. Building paragraphs can be like building a skyscraper: there must be a well-planned foundation that supports what you are building. Any cracks, inconsistencies, or other corruptions of the foundation can cause your whole paper to crumble.
So, let’s suppose that you have done some brainstorming to develop your thesis. What else should you keep in mind as you begin to create paragraphs? Every paragraph in a paper should be:
Unified: All of the sentences in a single paragraph should be related to a single controlling idea (often expressed in the topic sentence of the paragraph).
Clearly related to the thesis: The sentences should all refer to the central idea, or thesis, of the paper (Rosen and Behrens 119).
Coherent: The sentences should be arranged in a logical manner and should follow a definite plan for development (Rosen and Behrens 119).
Coherent: The sentences should be arranged in a logical manner and should follow or development (Rosen and Behrens 119).
Coherent: The sentences should be arranged in a follow a Coherent definite plan for development (Rosen and Behrens 119).
I mean to fetch up to the first occurance of word "coherent" ,in case of multiple words(coherent) present in my event
| rex "(?ms)^Unified: (?P.+?)Coherent: "
The above regex will work , (by adding ?) Thank you