Hi there,
Can someone help me with reading the tokenized string and assign the keys to each index retrieved. It is difficult for me as it is not key/value format to read.
Log sample:
CustomerService`getPointDetails`6686`435`52`8`52`xmlgw_client_mrs_USAA`0x00000000`Successful Response`2`3`0`/CN=services.mclocal.int/OU=xmlgw-common-client/O=MasterCard WorldWide - Common ProdInfra SSL/L=Saint Louis/ST=Missouri/C=US`/mrswebservices/CustomerService/b2c/v2` `PRODESB6_STL|18234799|180817043259896`SAML`0`0`
I know which values is for what field in the sequence they appear in the logs. It does has space as a value too. " ` " is token in the string.
I did tried below but since there are more than 20 fields I have to extracts, the query becomes very long and ugly and can cause performance too.
index=app sourcetype = audit
| eval tokenString=mvindex(split(mvindex(split(_raw,"gtid("),1),"): `"),1)
| eval temp=split(tokenString,"`")
| eval field0=mvindex(temp,0)
| eval field1=mvindex(temp,1) and so on for all the fields with incremental index values.
I did check few regex option on web, that was also long query too.
Please advise.
Thanks,
↧