This is the Error Message in the log :
info [native] Creating Memory Dump upon ResourceExhausted Notification: unable to create new native thread
I am trying to rex for "info [native] Creating Memory Dump upon ResourceExhausted Notification" using syntax
rex "Creating Memory Dump upon '(?\w+)' Notification" and display in a dashboard but it does not work.
Anything wrong with it?
Like this:
| makeresults
| eval _raw="info [native] Creating Memory Dump upon ResourceExhausted Notification: unable to create new native thread"
| rex "^(?<msg>[^:]+)"
You have several things wrong. Note: I'm also a RegEx novice.
Replace spaces with \s
You didn't name an extracted field <>
If the extracted word will always be between "upon" and "Notification" you can shorten the rest.
| makeresults
| eval sentence="info [native] Creating Memory Dump upon ResourceExhausted Notification: unable to create new native thread"
| rex field=sentence "(upon\s)(?<extracted_thing>\w+)(\sNotification)"