Hi,
I'm sure this is very simple, but I'm fairly new to regex and rex.
I'm trying to use rex to extract a string from the event logs, and then show that sring in a table.
Here is a sample event:
"2016-06-06 12:14:11,114 [RMI TCP Connection(453679)-10.128.110.184]- Remote invocation of " and here would be specifics.
Using the field extractor, I came up with the following:
rex field=_raw "(?ms)^(?:[^ \\n]* ){5}(?P\\w+\\s+\\w+\\s+)"
This allowed me to use the following search to table it:
index=qp_mds source="/app/logdata/logs/marketdata/performance.log"| rex field=_raw "(?ms)^(?:[^ \\n]* ){5}(?P\\w+\\s+\\w+\\s+)"| Table Remote_Invocation
However, all my table shows is Remote Invocation where the event should be. I can get the string if I table _raw, but it give me the whole string, whereas I only want what is after Remote invocation. Any help would be greatly appreciated.
Thank you.
↧
