extract command to obtain excerpts of an existing
field using a regular expression. The command will capture the resulting excerpts into
virtual fields using the names provided for the regular expression groups.
extract command cannot operate on the
Original Log Content field. Default field, if not specified, is
To be able to use the
extract command on the value of
Original Log Content field, first copy the Original Log
Content field into a string field, and then run
on the new string field.
extract field = <field_to_parse> (<regular_expression>)
The following table lists the parameters used in this command, along with their descriptions.
Specify the field that must be parsed using the regular expression.
Specify the regular expression to use for parsing the existing field.
The format of the regular expression construct must be consistent with RE2J pattern matching and should contain at least one named-capturing group. See Regular Expressions Syntax.
The following command separates out the content of the entity field into
two parts. For example, the entity value
host-phx-1.oci.oraclecloud.com with pattern would split into
two virtual fields named Host and Domain, with values
* | extract field = Entity (?P<Host>\\w+)\\.?(?<Domain>.*)
The following command creates a new virtual field named ErrorCode
which contains the suffix of
ErrorInfo field so that it can be used
as a key in the lookup table
Error Ids. This can be used to lookup
description and remediation steps from a lookup table and provide tabular summary of
how many times each error occurred and how to remediate.
'Log Source' like '%database%' | extract field = ErrorInfo 'ora-(?P<ErrorCode>.*) | lookup table="error ids" select error_description, error_remediation using error_id = ErrorCode | stats cout, unique(error_description), unique(error_remediation) by ErrorInfo