Right now, my search looks like this:
index=4_ip_cnv source="*ATL*Pack*" FirstWord=SDA | rex "\s(?201,.*)$" | eval Msg=split(Msg,",") | eval ActualDest=mvindex(Msg,5) | eval ContainerID=mvindex(Msg,13) | eval ActualDest=if(like(SourceName,"%West%"),"West ","East ") . ActualDest | table _time ActualDest ContainerID
and the log looks like this:
2016 05 09 12:32:29.000 | SDA written: 201,64,5,1,0,8,0,0,0,0,0,16790
2016 05 09 12:32:29.000 | 5,8,04S05577
I can get the destination that I need, but the container ID, 04S05577, doesn't get listed in the table. Help?
Thanks!
↧