27 Feb 2024 06:21 PM
I have this query
fetch logs
| filter matchesValue(host.name, "dar*")
and matchesPhrase(log.source, "mydomain")
and matchesPhrase(log.source, "diagnostic")
and matchesValue(status, "ERROR")
| fieldsAdd replaceString(content, "\n", " ")
| parse replaceString(content, "\n", " "), "LD 'Message=\"' LD:message'\"' LD 'TransactionId' LD"
| fieldsKeep message
See the parse replaceString(content, "\n", " ") part, isn't that bizarre?
The documentation doesn't tell me how to rename the result of replaceString and creates that weird field name. How can I give it a meaningful name to use in the parse?
thanks!
Solved! Go to Solution.
27 Feb 2024 07:50 PM - edited 27 Feb 2024 07:58 PM
27 Feb 2024 08:10 PM
I need the part at the end, not the part at the beginning. Are you saying use something like LD EOL LD EOL LD:lastline?
28 Feb 2024 01:44 PM - edited 28 Feb 2024 01:46 PM
Hi,
For example the EOS use:
data record(content="_ga_22HX2S1N7P=GS1.1.1702351529.1.0.1702351529.0.0.0\" 3806 1945 ")
| parse content, "LD STRUCTURE{DOUBLE:bytes.re ' ' DOUBLE:bytes.send SPACE}?:struct EOS"
| fieldsAdd struct[bytes.re]
| fieldsAdd struct[bytes.send]
28 Feb 2024 07:32 PM
The solution is to use DATA and not LD, and forget about replaceString