I have a result which shows two values for the same Id and I want the value of the second Id in table
result
class=com.something.something .something [id=requestid=7375de3b-b524-4a4d-85e5-c6b7cb0fb7b1 id=201231]
class=com.something.something .something [id=requestid=70dbdd62-7fd3-4178-a082-f27c0866279a id=151232]
class=com.something.something .something [id=requestid=34b96d23-1340-4f9a-b518-d95b8ae853a5 id=671235]
class=com.something.something .something [id=requestid=1845de3b-a524-1a4d-75e5-a1b7bb1fb7b2 id=921239]
so I want in result 201231,151232,671235,921239
Please help.
Set KV_MODE = auto
on your Search Head and then do:
... | eval id2=mvindex(id, 1)
If the format is consistent, you can do this:
| rex field=result "\[[\S\W]+\sid=(?<second_id>\d+)"
See https://regex101.com/r/p0RcVe/1 to compare this regex
@ravirajaka ,
Try
"base search"|rex field="your fieldname" "\bid=(?<second_id>\d+)"