Skip to content

Instantly share code, notes, and snippets.

@ajin

ajin/gist:8f0ced4b23c3a0af5da28e160e5c44f4

Created July 21, 2023 13:16
Show Gist options
  • Save ajin/8f0ced4b23c3a0af5da28e160e5c44f4 to your computer and use it in GitHub Desktop.
Save ajin/8f0ced4b23c3a0af5da28e160e5c44f4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
index="vault_logs"
| rex field=_raw "^(?<log_timestamp>[^ ]+ +[^ ]+ +[^ ]+) +(?<vault_server>[^ ]+) +vault: \[(?<log_level>[^]]+)\] +(?<component>[^:]+): (?<message>.+)"
@ajin
Copy link
Author

ajin commented Jul 21, 2023
edited
Loading

index="vault_logs" | rex field=_raw "^(?<log_timestamp>[^\s]+) \[(?<log_level>[^\]]+)\] (?<component>[^:]+): (?<log_message>error[^=]+)=\s*\"(?<error_description>[^\"]+)\""

@ajin
Copy link
Author

ajin commented Jul 21, 2023

index="vault_logs" | rex max_match=0 field=_raw "(?<field_key>[^=]+)\s=\s(?<field_value>[^\s]+(?=\s|$))" | mvexpand field_key | mvexpand field_value | eval "{field_key}" = field_value

@ajin
Copy link
Author

ajin commented Jul 21, 2023

index="vault_logs" | rex max_match=0 field=_raw "(?<field_key>[^=]+)=(\"(?<field_value>[^\"]+)\"|(?<field_value>[^=]+?)(?= [^=]+=|$))" | mvexpand field_key | mvexpand field_value | eval "{field_key}" = field_value | fields - field_key, field_value

@ajin
Copy link
Author

ajin commented Jul 21, 2023

index="vault_logs" | rex max_match=0 field=_raw "(?<field_key>[^=]+)=(?<field_value>(\"[^\"]+\"|[^=]+?))(?= [^=]+=|$)" | mvexpand field_key | mvexpand field_value | eval "{field_key}" = trim(field_value, "\"") | fields - field_key, field_value

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment