If your message has a standard structure, you can use strmatch() primitive.
If it is NOT in a standard structure, but you know that some elements always exist, you can also use a combination of the strnpart() and strextract() primitives.
strnpart will find the location of a specified string, and strextract will allow you to extract a substring.
You can find more info on these primitives on the KB Reference guide.
I would suggest a different approach. Why not use the strtolist function which will split a string about a given character (I'd suggest the comma), then use the listgetelt function with the arguments 2, 3, 4, 5 and 8 to get the relevent elements. I agree with Carlos though that we need to know if the structure is fixed, ie there are always the same number of comma separated fields
'FRED - test.log : 2011-08-26 11:05:56.626 BST,ERROR,FRED.test.uk.com,PRODUCTION,Administrator,com.test.common.ftputils.write.services.priv:performPostwrite,Node01:com.testworld.b2b.expectedreceipt.services.pub:fetchWhseExptRcpt,[UUID:b87c5c83-309c-4d48-8a65-020d630c4be7;SBX_SBX_WER_I.01GD09.W0DZZF.20110824.181836.xml;SBX_SBX_WER_I.01GD09.W0DZZF.20110824.181836.xml;10246311;alias:SBUX_IS-DLX-E2E-1_MasterPreAdvice;context:SBUX],error_code:90007,error_type:system,Unable to write into FTP server FRED;21@. as the file ./SBUXpad.20010017-18 already exists.
test.log : 2011-08-26 11:06:08.648 BST,ERROR,FRED.test.uk.com,PRODUCTION,Administrator,com.testworld.dlxwms.shippingmanifest.services.priv:parseShippingManifestDD,Node02:com.testworld.dlxwms.shippingmanifest.services.pub:fetchShipmentManifest,[UUID:dbb03f87-fdae-4c75-bc97-f6cbf6847a68;SBUXmnsCxt.0000010057],error_code:10428,error_type:business,Cannot map from dataDoc to shi... : CRITICAL';
This is the rule I have created, but It does not seem right to me:
where [$PEV.status == OPEN AND
$PEV.Customer == Fred AND
$PEV.mc_object_class has_prefix 'Log Management' ]
if $PEV.mc_host == 'SERVER1'
$PEV.msg = $secondbold $firstbold $errorCode $fourthbold;
First glance doesn't look to bad apart from missing brackets around the if condition, and the setting of the message, which should look like:
I'd probably add some spaces as well
$PEV.msg= concat([$secondbold," ",$firstbold," ",$errorCode," ",$fourthbold]);
Note the square brackets are important - explanation this is a list we are passing to concat, and lists have square brackets round them.
You might be able to use a simpler form of variable substitution, in text:
$PEV.msg="$secondbold $firstbold $errorCode $fourthbold";
I'd then try compiling and if it will, create a manual event and testing the rule.
Not sure if you are using event adapter to get this into the cell. If yes then in the .map file of the adapter you can put a regex to extract what you want from the complete string. There are some .map files in $MCELL_HOME/etc directory which will provide you some idea about this as it has some examples.
Below sort of regex will work for you.
You can test it at http://gskinner.com/RegExr/