All,
I'm able to extract the second word but now the requirement is little different.
_time _raw
Shivera 346.789.63 is taking the second class 456.789.345,345.67.56
Shivera 345.786.66 now on the track class 56.78.67,-
Madura 456.190.45 shrewed it
aaruliya 455.67.30 top class calls 984.04.62 extra
Ghiya 495.81.22 tracking 627.85.79,34.56.78
Here in one event,there are different no. Of lines of logs.
And as i haved highlighted I would wanted to extract those alone.
How can i achieve it.
Thanks
Hi @prettysunshinez,
you could try something like this:
^\w+\s+(?<my_field>[^ ]*)
that you can test at https://regex101.com/r/B6ZNn4/1
Ciao and Merry Christmas.
Giuseppe
Hi
Check this
| makeresults
| eval temp="Shivera 346.789.63 is taking the second class 456.789.345,345.67.56#Shivera 345.786.66 now on the track class 56.78.67,-#Madura 456.190.45 shrewed it#aaruliya 455.67.30 top class calls 984.04.62 extra#Ghiya 495.81.22 tracking 627.85.79,34.56.78"
| makemv delim="#" temp
| mvexpand temp
| rex field=temp "^[^\s]+\s+(?P<output>[0-9.]+)"
or
| makeresults
| eval temp="Shivera 346.789.63 is taking the second class 456.789.345,345.67.56#Shivera 345.786.66 now on the track class 56.78.67,-#Madura 456.190.45 shrewed it#aaruliya 455.67.30 top class calls 984.04.62 extra#Ghiya 495.81.22 tracking 627.85.79,34.56.78"
| makemv delim="#" temp
| mvexpand temp
| eval output =mvindex(split(temp," "),1)