Solved: rename the result of replaceString

GerryIsHere · ‎27 Feb 2024

I have this query

fetch logs
| filter matchesValue(host.name, "dar*")
and matchesPhrase(log.source, "mydomain")
and matchesPhrase(log.source, "diagnostic")
and matchesValue(status, "ERROR")
| fieldsAdd replaceString(content, "\n", " ")
| parse replaceString(content, "\n", " "), "LD 'Message=\"' LD:message'\"' LD 'TransactionId' LD"
| fieldsKeep message

See the parse replaceString(content, "\n", " ") part, isn't that bizarre?

The documentation doesn't tell me how to rename the result of replaceString and creates that weird field name. How can I give it a meaningful name to use in the parse?

thanks!

Miguel_RinconG · ‎27 Feb 2024

Hi @GerryIsHere

It's a lines breaks. I recommend use replacePattern and DPL.

GerryIsHere · ‎27 Feb 2024

I need the part at the end, not the part at the beginning. Are you saying use something like LD EOL LD EOL LD:lastline?

Miguel_RinconG · ‎28 Feb 2024

Hi,

For example the EOS use:

data record(content="_ga_22HX2S1N7P=GS1.1.1702351529.1.0.1702351529.0.0.0\" 3806 1945   ")
| parse content, "LD STRUCTURE{DOUBLE:bytes.re ' ' DOUBLE:bytes.send SPACE}?:struct EOS"
| fieldsAdd struct[bytes.re]
| fieldsAdd struct[bytes.send]

GerryIsHere · ‎28 Feb 2024

The solution is to use DATA and not LD, and forget about replaceString