Is there any way I can extract only PersistenceLo cache cleared! and PmFinUtilityL Cache Cleared (highlighted in BOLD)
[1/24/19 14:27:33:498 EST] 00007d47 PersistenceLo I cache cleared!
[1/24/19 14:27:32:091 EST] 00005167 PersistenceLo I cache cleared!
1/24/19 0:01:55:185 EST] 000001dc PmFinUtilityL I cache cleared!
[1/23/19 23:59:59:013 EST] 000060e4 PmFinUtilityL I Cache Cleared.
I appreciate your help to frame rex query.
You can try this,
| makeresults
| eval data="[1/24/19 14:27:33:498 EST] 00007d47 PersistenceLo I cache cleared!,
[1/24/19 14:27:32:091 EST] 00005167 PersistenceLo I cache cleared!,
1/24/19 0:01:55:185 EST] 000001dc PmFinUtilityL I cache cleared!,
[1/23/19 23:59:59:013 EST] 000060e4 PmFinUtilityL I Cache Cleared."
| makemv delim="," data
| mvexpand data
| rename data as _raw
| rex field=_raw "]\s\d+\w+\s(?P<field>[^?].*)"
Give this a try
your base search | rex "^(\S+\s+){4}(?<Message>.+)"
Awesome bud. It works as expected.
Appreciate your prompt reply. Thank you
Hi,
Can you please explain a bit about solution
What the regex statement means is:
(\S+\s+)
some characters, then a space
{4}
repeat the above 4 times
(?<Message>.+)
take all the remaining characters, and write them to a new field called 'Message'
Does that help