|
If I have one event such as: 2010-06-10 15:01:16,882 .main INFO :: x=1 x=12 x=154 x=123 x=123 will it be able to extract all the values? Which means when searching for any of the values for x above, the event will be returned. Another example is: 2010-06-10 15:01:16,882 .main INFO :: _1 _12 _154 _123 _123 Can any of the digits after the underscore '_' be extracted into a single field? |
|
All of them can be extracted. In conf files, you can set the Note btw, in the first case, even if you don't do a field extraction, you can search on It works with rex. I wonder if max_match setting can be saved in field extraction or field transform.
(14 Jun '10, 23:36)
hans
|
|
I believe that only one of the values will get extracted, probably the first value. You should setup a proper regex to extract the separate field values. However, searching for the value itself should not be a problem. If you elaborate on the use-case, that might allow people to offer you more commentary. I don't have any real world use case but my scenario would be for a set of events that have x as a field, I want to see how many different values of x does that set have.
(10 Jun '10, 22:42)
hans
All of them can be extracted. In conf files, you can set the MV_ADD parameter (which actually is on by default) and when using the rex command you can use set max_matches (starting in 4.1).
(11 Jun '10, 01:40)
gkanapathy ♦
|
