Hi,
I have following output from a log file.
(5/1/13 - 1:36:05.01 PM) Event LOAD 1 Setup
(5/1/13 - 1:36:08.01 PM) Event LOAD 2 Setup
(5/1/13 - 1:37:07.37 PM) Event LOAD 1 Process
(5/1/13 - 1:37:17.37 PM) Event LOAD 3 Process
(5/1/13 - 1:38:07.39 PM) Event LOAD 1 Complete
(5/1/13 - 1:38:15.01 PM) Event LOAD 3 Setup
(5/1/13 - 1:38:17.39 PM) Event LOAD 2 Complete
(5/1/13 - 1:39:07.42 PM) Event READ 1 Setup
(5/1/13 - 1:39:17.37 PM) Event LOAD 3 Process
(5/1/13 - 1:39:27.39 PM) Event LOAD 3 Complete
(5/1/13 - 1:39:37.42 PM) Event READ 2 Setup
(5/1/13 - 1:39:57.42 PM) Event READ 3 Setup
(5/1/13 - 1:40:07.45 PM) Info READ 1 Process
(5/1/13 - 1:41:07.47 PM) Error READ 1 Complete
(5/1/13 - 1:41:17.45 PM) Info READ 2 Process
(5/1/13 - 1:41:27.45 PM) Info READ 3 Process
(5/1/13 - 1:41:57.47 PM) Error READ 2 Complete
(5/1/13 - 1:42:07.47 PM) Error READ 3 Complete
I need to extract a field "WorkID", so I used following REGEX
rex field=_raw "LOAD (?<workid>d+)|READ (?<workid>d+)"
If I change the WorkID field to WorkID1 and WorkID2, it works but not sure how to consolidate these 2 fields.
Later I will be using "Transaction" to get following output:
Start Time End Time WorkId
(5/1/13 - 1:36:05.01 PM) (5/1/13 - 1:41:07.47 PM) 1
(5/1/13 - 1:36:08.01 PM) (5/1/13 - 1:41:57.47 PM) 2
(5/1/13 - 1:38:15.01 PM) (5/1/13 - 1:42:07.47 PM) 3
What would be best ( practice) implementation for this issue?
Thanks!!!!