Hi Want to extract specific fields from a log file. Tried using rex but failed.. need help
Log file EG:
----------------------------------------
03-09-2012 12:04:52.824 Information C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile] [PID: 296] [Thd: 5400] StockRoomController DisplayScanItem 1234 12345678 33333 00000000-0000-0000-0000-000000000000 Controller 39634671 39634703 32
----------------------------------------
----------------------------------------
03-09-2012 12:04:53.262 Information C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile] [PID: 296] [Thd: 5676] BCK001 UI 1 2 00000000-0000-0000-0000-000000000000 RenderingTime 1331316293215 1331316293246 31
----------------------------------------
----------------------------------------
03-09-2012 12:05:06.855 Information C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile] [PID: 296] [Thd: 5036] BCK001 UI 1 2 ffe7d7cb-c7ae-4056-8393-6e237b7e120b SubmitTime 0 1331316306839 0
----------------------------------------
----------------------------------------
03-09-2012 12:05:08.230 Information C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile] [PID: 296] [Thd: 5676] StockroomDomainManager ReadLoc 1234 12345678 33333 ffe7d7cb-c7ae-4056-8393-6e237b7e120b DataBase 39649906 39650687 781
----------------------------------------
----------------------------------------
03-09-2012 12:05:08.230 Information C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile] [PID: 296] [Thd: 5676] StockroomDomainManager ReadStkrmLocsByProdId_FG 1234 12345678 33333 ffe7d7cb-c7ae-4056-8393-6e237b7e120b DataBase 39649906 39650687 781
----------------------------------------
----------------------------------------
03-09-2012 12:05:08.230 Information C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile] [PID: 296] [Thd: 5676] BackstockApplication GetStkrmLocsByProdId_FG 1234 12345678 33333 ffe7d7cb-c7ae-4056-8393-6e237b7e120b Controller 39649906 39650687 781
----------------------------------------
----------------------------------------
03-09-2012 12:05:08.230 Information C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile] [PID: 296] [Thd: 5676] StockRoomController DisplayScanLocation 1234 12345678 33333 ffe7d7cb-c7ae-4056-8393-6e237b7e120b Controller 39650687 39650687 0
----------------------------------------
----------------------------------------
What's not working with rex
? This should work:
... | rex "\[PID: (?<pid>\d+)\]\s+\[Thd: (?<thd>\d+)\]"
... | rex "\[PID: (?<pid>\d+)\]\s+\[Thd: (?<thd>\d+)\]" | fields pid thd | outputcsv exportedfields
Thankyou Ayn,
Is there any way to export the values out of the log files for the above two mentioned fields.
Like the logs have a "PID" and "Thd" value, can we use splunk to filter out that value and then export it to a say csv files or an excel sheet.
--update
I can however select the fields i wish to in the output by selecting the fields under "selected fields" but i am not able to export these values in an excel sheet or say a csv