How to parse logs insight log with same field name

Question

I want to run a query like this:

fields @timestamp, @message
| filter @message like /Failed Token|APN failed/
| parse @message "Failed Token: * Error: *" as token, error
| parse @message "device: * reason: *" as token, error
| display token, error

and I get an error that token and error are already defined - obviously because I used it in the first parse. so my question is how can I use the same field names? so I can display only 2 columns - Token and Error? Thanks!

score 0 · Accepted Answer · answered Feb 28 '23 at 09:58

0

The solution I found for this, is to use parse with a regex, similar to the filter. It gets a bit tricky when needing to write a regex for 2 completely different strings but in this way I managed to parse the fields into the same variable

answered Feb 28 '23 at 09:58

RanH

740
1
11
31

How to parse logs insight log with same field name

1 Answers1