Sample data:
12/28/2015 11:39:14.113 -0600
collection="MSMQ Queue"
object="MSMQ Queue"
counter="Messages in Queue"
instance="hostname"\private$\test_test_1062
Value=4
I have a working rex that extracts `test_test_1062` to the following:
queueName=test_test_1062
using this rex:
| rex field=instance \\\(?[^\\]+)$\"
If I try to convert this to a field extraction, I get the following error message
Encountered the following error while trying to update: In handler 'props-extract': Regex: unmatched parentheses
If I remove a slash from each group of slashes then I can save the field extraction, but then the result is not accurate and the last line is captured so I get this
queueName=test_test_1062 Value=4
The instance field has several variations, so I cannot get the IFX to work correctly once I load all the variations into it. Basically I just need all the text after `private$` until a white space occurs, but I cannot figure out how to make that happen and also work as a field extraction.
Thanks!
↧