I have some log files which looks like this one:
2020-11-18 00:11:22.333 INFO [ABC_service,[{"method":"doSomething","id":"123456789","jsonrpc":"2.0","params":{"taskType":"certainType","clientNotificationInfo":{"priority":xy,"expirationDate":111111111},"priority":xy,"deviceId":"000000000000000","taskPayload":{},"timeout":22222222}}, XYZ]
I now would like to extract fields directly in my search and make a table of the extracted values. I would like to extract the taskType, here: certainType. Now, I was wondering about how to do this.
I tried this command:
source="/log/ABCDE/ABCDE_service.log" doSomething | rex field=_raw "taskType: (?<taskType>.*)" | table taskType
But got an empty table. What is wrong here?
But I got an empty table for both values.
You have the right idea, but the regular expression in the rex command does not match the sample data. Try this.
source="/log/ABCDE/ABCDE_service.log" doSomething
| rex field=_raw "taskType\\\":\\\"(?<taskType>[^\\\"]+)"
| table taskType
The extra backslashes are needed for the multiple layers of escaping needed to get the quotation marks into the regex processor.
BTW, I like to use regex101.com to test regular expressions.