Solved: Re: Rex, Regex and Field Extraction Question

MHS · ‎04-24-2012

I know this is going to be something simple and probably the fact that I'm posting this will trigger something in my dome. But here goes:
Here is what my data looks like:
Apr 20 15:36:43 10.200.1.22 1794246290: Called Party Number i = 0x80, '12858'
Apr 20 15:36:42 10.200.1.22 1794246273: Called Party Number i = 0xA1, '314255####'
Note: #### is to redact for privacy

So I want to do a search line extract for anything between the ' '. My regex should look like this: '\d{5,10}'
when I put this line into spunk to extract that field I just get a blank for the field dialed number:
"Called Party Number i" | rex "'\d{5,10}'(?)"

Suggestions?

sowings · ‎04-24-2012

When using named field extractions, the field name goes inside (and before) before the matching group, like:

rex "'(?<dialednumber>\d{5,10})'"

View solution in original post

sowings · ‎04-24-2012

When using named field extractions, the field name goes inside (and before) before the matching group, like:

rex "'(?<dialednumber>\d{5,10})'"

MHS · ‎04-24-2012

Thanks for the response. That took care of it.

sowings · ‎04-24-2012

Yeah, I forgot about double escaping my \'s.

cphair · ‎04-24-2012

@MHS, note that you also need a backslash before the d to make it match a digit. You also may need to escape (backslash) the single quotes, but I don't have data handy to test that.

Rex, Regex and Field Extraction Question

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...