Blockquote
I have to build a table that lists all the service names that are in particular format for e.g "ABC-*.-<>", Is this possible??
I actually tried by building a regular expression like this index=my_index sourcetype=my_source | regex name = "^ABC-.*-(Name1|Name2|Name3|Name4|....Name600) but I am getting "Regex: regular expression too large error" Any other way of solving this??
Blockquote
Try something like this.
index=my_index sourcetype=my_source name = "ABC*" | rex field=name "^ABC-.*-(?<subname>.*)" | lookup names.csv name-field-in-lookup-file as subname | ...
Try something like this.
index=my_index sourcetype=my_source name = "ABC*" | rex field=name "^ABC-.*-(?<subname>.*)" | lookup names.csv name-field-in-lookup-file as subname | ...
Fantastic, that worked!! This is exactly what I was looking for.
All 600 start with a prefix like “ENV” and rest are random. I did create a lookup with these 600.
Is there a pattern to the service name endings or are they 600 random strings?
Regex is better suited to validating data format than content. IOW, use rex
to determine if a string is a potential service name and extract the "Name*" part. Then use a lookup to validate the Name against a list of known names.
Can you please show some example data?