I have a log file multiple service requests/responses that I am logging in JSON. I am able to take the those requests and responses, run them through mvexpand and spath, and come out with all of the fields being searchable. So far so good.
My problem is that there are some shared fields across the different services that I would like to combine to make searching a bit easier, but which have different field names from the spath.
soapenv:Envelope.soapenv:Body.aff:service1req.sys:SystemInfo.sys:ServiceContext.sys:sourceLogicalId
soapenv:Envelope.soapenv:Body.aff:service2req.sys:SystemInfo.sys:ServiceContext.sys:sourceLogicalId
soapenv:Envelope.soapenv:Body.aff:service3req.sys:SystemInfo.sys:ServiceContext.sys:sourceLogicalId
soapenv:Envelope.soapenv:Body.ns3:service1resp.ns2:SystemInfo.ns2:ServiceContext.ns2:sourceLogicalId
soapenv:Envelope.soapenv:Body.ns3:service2resp.ns2:SystemInfo.ns2:ServiceContext.ns2:sourceLogicalId
soapenv:Envelope.soapenv:Body.ns3:service3resp.ns2:SystemInfo.ns2:ServiceContext.ns2:sourceLogicalId
I've got a basic regex that can find all 6 of these : "soapenv:Envelope.soapenv:Body.[\w:.]+:sourceLogicalId"
The main issue I am having is figuring out how to use that regex to actually combine the fields. My last attempt was
sourcetype=source | mvexpand soapEnvelope | spath input=soapEnvelope | rex field=_raw "(?P<sourceLogicalID>soapenv:Envelope.soapenv:Body.[\w:.]+:sourceLogicalId)"
but I don't see any new field added like I would expect. I'm sure that I'm getting the syntax wrong somewhere in here, I just haven't been able to find anything online that explains what it is.
... View more