I have the below string in logs with multiple delimiters (: = and #). I am expecting all the values in tabular formate like
tenant |countryCode |deviceType |platformID|paymentMethod1|paymentMethod2|userAgent
XYZ | US | IOS |13 |p1 |p2 |Mozilla /20.0.553 Mozilla/5.0
logs string
TrackingLogs tenant=XYZ, countryCode=US, deviceType:IOS, platformID:13,currency=USD, paymentMethods:P1 # P1 # P2 # P2 # P4 # , userAgent:Mozilla /20.0.553 Mozilla/5.0
I tried for ':' but no result
search string| rex field=_raw "deviceType\:\s+?(?<deviceType>\S+)" |table deviceType
for = I used below query it worked but don't know how to combine it with : and #
search trackinglog | rex field=tenant "(?<tenant>[^\.]*)\.[a-zA-Z]"| table _raw tenant, countryCode , currency , paymentMethods
The problem with the first query is not the separator, but the regex itself. It expects a space where none exists. This variation works:
| rex field=_raw "deviceType:\s*?(?<deviceType>\S+)" |table deviceType
For better results, however, try the extract command.
| extract pairdelim="," kvdelim=":="