Issue with timelion regex label

I did the following search request in Discover on my ref_rfnd index :
msg: "*Detected server" AND msg: "started"

Search result extract:
Time host.name msg application
Nov 29, 2019 @ 12:49:29.023 s598lr2wsrf09.ref.cpc998.be Detected server BL1_500b_MBR2 started on node RefNode_REF_500B_EB CLIENTS_998
Nov 29, 2019 @ 12:49:29.023 s598lr2wsrf05.ref.cpc998.be Detected server BL2_400b_MBR2 started on node RefNode_REF_500B_EB INTEGRATOR
Nov 29, 2019 @ 12:49:29.022 s298lr2wsrf04.ref.cpc998.be Detected server BL2_506c_MBR1 started on node RefNode_REF_500B_EB MREF_200b_MBR2

In timelion, i play the same request and I wanted to label ( dynamically ) like this:

.es(q='msg: "Detected server" AND msg: "started"',index=ref_rfnd)
.label(regex='.*Detected\s+server\s+(\w+)\s+started.*', label='$1')

But I dont get any labels as expected ( BL1_500b_MBR2 , BL2_400b_MBR2 , BL2_506c_MBR1 ) as expected from regex expression whereas it mached in regex tester online.
Do I misunderstand something ? Can you help me ?

Regards.
Christophe

Hi @kristoflarcher,

I believe this is because the regex applies to the generated label from .es(...) and doesn't apply to the data returned. In your scenario, the regex extracts from q:msg: "Detected server" AND msg: "started" > count.

A more detailed explanation can be found here: Timelion: how generate .label() dynamically?.

I dont understand why you say the regex apply to : q:msg: "Detected server" AND msg: "started" > count

The query is : the following : es(q='msg: " *Detected server" AND msg: "started"') and return a certain number of lines from which I want to extract label.

My question is : why does the regex doesnt apply on the query content ?

regards

How should I proceed ? Is there any ccourse explaining how to use regex on labels in Timelion ?
The syntax is not that clear for me, and I did not find any accurate explanations.

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.