This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Conditional Parsing

mario_rwwa
Observer

‎23 May 2024 02:24 AM - last edited on ‎24 May 2024 09:37 AM by Community Team

Currently I'm dealing with a logfile which outputs different data depending on the action which has occurred, one parse statement cannot handle all the options so I have multiple parse statements.

I need to combine it all into one table at the end, but the only option I've found so far is via multiple fetch & appends, which feels very inefficient and clunky. Is there are way to streamline this sort of query?

As an example:

 

 

 

 

fetch logs, from: -3d
|  filter dt.host_group.id == "myTag"
|  filter matchesPhrase(content, "myFirstTextToMatch")
| parse content, "DATA blah blah blah parse out fields here"
| append  [fetch logs, from: -3d
  |  filter dt.host_group.id == "myTag"
  |  filter matchesPhrase(content, "mySecondTextToMatch")
  |  parse content, "DATA blah blah blah parse out second pattern fields here"
    | append  [fetch logs, from: -3d
      |  filter dt.host_group.id == "myTag"
      |  filter matchesPhrase(content, "myThirdTextToMatch")
      |  parse content, "DATA blah blah blah parse out third pattern fields here"
... and so on

 

 

 

 

Is there a way to use a conditional operator here maybe?

ie, IF matches FirstText then parse using First pattern ELSE IF matches SecondText parse using Second pattern...

Labels:
Reply
0 REPLIES 0
Ask a question

Featured Posts