How to display time, host, source type when the st...

poonama · ‎09-20-2017

I have a stack trace for one particular error like this,
[9/20/17 5:40:13:428 EDT] 000000e0 SystemOut O 20 Sep 2017 05:40:13:428 [INFO] [DMAXP01_MIF2] [] BMXAA6372I - Host name: 139.46.95.92. Server name: DMAXP01_MIF2. Cron task name: JMSQSEQCONSUMER.SEQQIN. Last run: 2017-09-20 05:40:00.0host=cltismx1waslp07 Options|

sourcetype=WebSphere:SystemOutLog Options|

source=/logs/websphere/DMAXP01_MIF2/SystemOut.log

I want to view the feilds in tabular format. My search string is
Cron task name: JMSQSEQCONSUMER.SEQQIN9. Last run: | table host, sourcetype,source.

I want to display the time after the keywords " Last run:" in the above statement.

gcusello · ‎09-20-2017

Hi poonama,
you have to extract field Last_Run in rex command or in field extraction.
regex is Last run: (?<Lat_Run>\d+-\d+-\d+\s\d+:\d+:\d+\.\d+)

your_search
| rex "Last run: (?<Lat_Run>\d+-\d+-\d+\s\d+:\d+:\d+\.\d+)"
| table Last_Run host sourcetype source

you can test it at https://regex101.com/r/Cfbhwp/1
Bye.
Giuseppe

poonama · ‎09-21-2017

Its giving multiple entries of one single last run time. Any idea how to deal with this.

How to display time, host, source type when the statement is as follows:

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...