Parse expression should return all the match results

Follow

Sai Gowtham Nambi

• April 13, 2021 10:13

Hi Team ,

     I have a log where data looks like 

"some text name:abc some text text text name:xyz some text" . I want this log to be parsed to show the result as 

name1  name2

abc         xyz

Thanks

1

• 

  Graham Watts

  • April 13, 2021 23:18

  Hey Sai,
  
  Parse Regex Multi can do this, try the below:
  
  | parse regex "\sname\:(?<field1>abc)" multi
  
  Hope this helps!
  
  - Graham

  0

  Comment actions Permalink
• 

  Graham Watts

  • April 13, 2021 23:27

  Hey Sai,
  
  Actually, parse regex multi will show a new line for value instead of field1, field2.
  
  Usually you will want to use parse regex multi to extract n number of fields, but if you have exactly 2 that you ant you could do this, with the aggregation and transpose to get a table report:
  
  | parse regex "\sname\:(?<field1>[^\s]+).*name\:(?<field2>[^\s]+)\s"
  | count by field1,field2
  | transpose row field1 column field2
  
  
  

  0

  Comment actions Permalink
• 

  Sai Gowtham Nambi

  • April 15, 2021 04:53

  Many Thanks Graham. 

  0

  Comment actions Permalink

Please sign in to leave a comment.