Hi,
I have a rather large multiline event which I am trying to extract data from. The problem is that the format is along the lines of:
key0 = "bob"
key1 = "foo"
key2 = "bar"
bob = blah $value0 blah
foo = $value1 blah
bar = $value2 blah blah
It's all rather annoyingly unstructured and arbitrary, so in order to find the values, I have to first extract the key1, key2 and key3 values, to know where to look for the values. I do this with rex, and it goes well. Then I go searching through the text for the values, again using regex.
The problem is that I somehow have to feed the results from the first search into the subsequent regex searches, and at least REX does not seem to like it if I type 'rex field=_raw "somethingsomething" + $key1 + "something" '
Apparently it's static text only, no variables welcome.
I did play around with the replace function in eval, but it does not seem to want to look beyond a single line.
Any ideas how I can solve this?
Best regards,
Arild
↧