How to display multiple matches as column?

Follow
Avatar
Zafar Chaudry

Hello,

I have written a regex statement to match certain pattern in a log message and display as column. The issue is that Sumo only display first match but log message has multiple of those. How can I display all matches? Its like 'g flag' in regular expressions. 

 

0

Comments

5 comments

Sort by Date Votes
  • Avatar
    Kevin Keech

    You will want to look at the "multi" option of the parse regex operator. This flag will tell the parsing operation to parse each occurrence of the expression within a single message. Thes parsed values will then be placed into a new row of your results with the different parsed values appearing under the field name column supplied within the named grouping. 

     

    0
    Comment actions Permalink
  • Avatar
    Zafar Chaudry

    Thanks Kevin for your prompt response.

    I am using multi but its not displaying all values in column.

    Here is the log:

    '{'msg': u'All items completed', 'changed': False, 'results': [{'changed': False, '_ansible_no_log': False, 'item': u'enp29s0f2', '_ansible_item_result': True, 'failed': False, 'msg': u'odrd1-c1-r101-cdds01 / Ethernet16/2', '_ansible_verbose_always': True, '_ansible_ignore_errors': None}, {'changed': False, '_ansible_no_log': False, 'item': u'enp26s0f13', '_ansible_item_result': True, 'failed': False, 'msg': u'odrd1-c1-r101-cds01 / Ethernet6/20', '_ansible_verbose_always': True, '_ansible_ignore_errors': None}]}'

    and my regex is:

    | parse regex ", 'item': u(?<local_intf>.*?)," multi

    but that displays only "enp29s0f2" rather both "enp29s0f2 & enp26s0f13"

     

    0
    Comment actions Permalink
  • Avatar
    Kevin Keech

    Hi Zafar,

    I put your test message into a test account and tried your parsing expression and this appeared to work for me. Again, note that each parsed value will be placed into a new row, under the same column label, these two values will not be included in the same row/column.

    See the following screenshot for an example. Basically the one message gets turned into two, each having a different "local_intf" value. 

    0
    Comment actions Permalink
  • Avatar
    Zafar Chaudry

    ah thanks. I missed that it places in new row.

    Is there a way we can have it in same row? like local_inf have two entries separated by comma.

    0
    Comment actions Permalink
  • Avatar
    Kevin Keech

    Possible, but will require an additional "transactionize" and  "merge" operation.

     

    | parse regex ", 'item': u(?<local_intf>.*?)," multi
    | transactionize _raw (merge local_intf join with ", ", _raw takefirst)

     

    This extra operation basically pieces the two messages back together based on the Raw "message" and merges the two field values together into a single field separated by a comma. 

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post