I am currently trying to parse numbers captured from logs using regex.
The numbers however, have commas within them (e.g. 1,234.16 ), we need to use charts on the field so we have to convert the field to_long().
Does anyone have any recommendations how to do this?
Sample log:
<62>1 2017-09-18T06:03:36.994+00:00 xxxxxxx-xxxxxxxx oci 7564 syslog - [SANscreen] Event: Violation Up, Name: VL-773434, Type: HV_VirtualMachine, Severity: CRITICAL, Element: xxxxx.xxx.xxxxx.xxx, Description: xxxxx.xxx.xxxxx.xxx violation with 'Latency - Total' > 30.00 ms (value of 140.15 ms), Start Time: Mon Sep 18 06:02:53 UTC 2017
Here’s the sample pipline that we use
rule "get oci fields - up"
when
contains(to_string($message.message),"IOPS")
then
let pattern = "(Violation Up), Name: \\S+, Type: \\S+, Severity: (\\w+), Element: (\\S+), Description: \\S+ violation with \\'IOPS \\- Total\\' \\> \\S+ IO\\/s \\(value of (\\d.*) IO\\/s\\), Start Time: (\\w+ \\w+ \\d+ \\d+\\:\\d+\\:\\d+ \\w+ \\d+)";
let regex_match = regex(pattern,to_string($message.message),["violation_status","severity","target_vm","iops","start_time"]);
set_fields(regex_match);
let a = split(",",to_string(regex_match["iops"]));
let b = split(",",to_string(regex_match["iops"]),1);
//Hello There test
//let a = split(",","Hello,There",1);
//set_field("temp",a);
set_field("str_iops", concat(to_string(a),to_string(b)));
set_field("iops",to_long(concat(to_string(a),to_string(b))));
end
I tried using to_long() to convert but it wouldn’t probably due to the comma.
I’ve tried using splitting then combining as well but it seems not splitting anything.
Also, the the “Hello,There” test about would set “Hello,There” in the field without splitting.