I have an event from which I want to filter this string:
\\\"name\\\":\\\"experience\\\",\\\"status\\\":\\\"FAILURE\\\"
Search:
"pxc" "fail*" | rex max_match=20 "((?[\w*])\W*\w*\W*(?[\w*]))" | where SOR="Experience" AND status="FAILURE"
But this gives me an event where SOR= abcand status = FAILURE too which is unwanted.
Payload:
[{\\\"name\\\":\\\"xyz\\\",\\\"status\\\":\\\"SUCCESS\\\",\\\"updatedTimestamp\\\":\\\"2016-05-04T22:11:48Z\\\"},\\\"name\\\":\\\"gya\\\",\\\"status\\\":\\\"SUCCESS\\\",\\\"updatedTimestamp\\\"
:\\\"2016-05-04T22:11:50Z\\\"},{\\\"name\\\":\\\"abc\\\",\\\"status\\\":\\\"FAILURE\\\",\\\"updatedTimestamp\\\":\\\"2016-05-04T22:11:51Z\\\"},{\\\"name\\\":\\\"guest\\\",\\\"status\\\":\\\"SUCCESS\\\",\\\"updatedTimestamp\\\":\\\"2016-05-04T22:11:51Z\\\"},{\\\"name\\\":\\\"Experience\\\",\\\"status\\\":\\\"SUCCESS\\\",\\\"updatedTimestamp\\\":\\\"2016-05-04T22:12:02Z\\\"},{\\\"name\\\":\\\"Name\\\",\\\"status\\\":\\\"SUCCESS\\\",\\\"updatedTimestamp\\\":\\\"2016-05-04T22:11:58Z\\\"},{\\\"name\\\":\\\"Ajax\\\",\\\"status\\\":\\\"SUCCESS\\\"
... View more