Hi,
I have following output from a log file.
(5/1/13 - 1:36:05.01 PM) Event LOAD 1 Setup
(5/1/13 - 1:36:08.01 PM) Event LOAD 2 Setup
(5/1/13 - 1:37:07.37 PM) Event LOAD 1 Process
(5/1/13 - 1:37:17.37 PM) Event LOAD 3 Process
(5/1/13 - 1:38:07.39 PM) Event LOAD 1 Complete
(5/1/13 - 1:38:15.01 PM) Event LOAD 3 Setup
(5/1/13 - 1:38:17.39 PM) Event LOAD 2 Complete
(5/1/13 - 1:39:07.42 PM) Event READ 1 Setup
(5/1/13 - 1:39:17.37 PM) Event LOAD 3 Process
(5/1/13 - 1:39:27.39 PM) Event LOAD 3 Complete
(5/1/13 - 1:39:37.42 PM) Event READ 2 Setup
(5/1/13 - 1:39:57.42 PM) Event READ 3 Setup
(5/1/13 - 1:40:07.45 PM) Info READ 1 Process
(5/1/13 - 1:41:07.47 PM) Error READ 1 Complete
(5/1/13 - 1:41:17.45 PM) Info READ 2 Process
(5/1/13 - 1:41:27.45 PM) Info READ 3 Process
(5/1/13 - 1:41:57.47 PM) Error READ 2 Complete
(5/1/13 - 1:42:07.47 PM) Error READ 3 Complete
I need to extract a field "WorkID", so I used following REGEX
rex field=_raw "LOAD (?\d+)|READ (?\d+)"
If I change the WorkID field to WorkID1 and WorkID2, it works but not sure how to consolidate these 2 fields.
Later I will be using "Transaction" to get following output:
Start Time End Time WorkId
(5/1/13 - 1:36:05.01 PM) (5/1/13 - 1:41:07.47 PM) 1
(5/1/13 - 1:36:08.01 PM) (5/1/13 - 1:41:57.47 PM) 2
(5/1/13 - 1:38:15.01 PM) (5/1/13 - 1:42:07.47 PM) 3
What would be best ( practice) implementation for this issue?
Thanks!!!!
If you rework your RegEx a little bit, you should be able to get the field extraction. Try this out:
rex field=_raw "(LOAD|READ)\s(?<workid>\d+)"
Thanks to wpreston and sdaniels. Both solutions worked!!!!
If you rework your RegEx a little bit, you should be able to get the field extraction. Try this out:
rex field=_raw "(LOAD|READ)\s(?<workid>\d+)"
I think this comes down to a better regex. This is an example that will match just the workid number you are looking for or you could change your 'OR' on the word match as well. A lookbehind assertion on a 4 letter word that is all caps plus the space.
(?<=[A-Z]{4}\s)\d
Rex would be something like this:
rex field=_raw "(?<=[A-Z]{4}\s)(?<workid>\d+)"