I am having trouble trying to parse data from a raw event line.
The raw event come in 2 different ways further below using the following regex info
(?i)^(?:[^^]*^){2}(?P
[^^]+)
The issue is some have ^ and others %5E is there a way to capture both in the extraction?
[30/Jan/2014:04:59:58 +0000] "GET /t25f.png?Starcom_CrystalLight_CrystalLight_BS_Visor1_3023150_5184568%5E5184568%5E23255909%5E3098598 HTTP/1.1" 200 h://cms.springboard.gorillanation.com/embed_iframe/1085/video/854883/tjbr001/thejasminebrand.com/10"
&
[30/Jan/2014:04:59:59 +0000] "GET /s75t.png?Starcom_ChrystalLight_ChrystalLight_CU_Visor1_3023150_5170050^5170050^23244639^2844787^^NoOfSlates=1^CurrentSlate=1 HTTP/1.1" 200 h://www.pch.com/entryintervid?crmN=2014JanTVPC1En"
Thanks you all for any help.
Try this workaround
your base search ..| eval new_raw=replace(_raw,"%5E","^")| rex field=new_raw "(?i)^(?:[^(\^)]*(\^)){2}(?P<bannerid>[^\^]+)"
This regex seems to work well on regexr:
GET(?:.*?(?:\^|%5E)){2}(?<bannerid>.*?)(?:\^|%5E)
Does that get you what you're looking for?
Try this workaround
your base search ..| eval new_raw=replace(_raw,"%5E","^")| rex field=new_raw "(?i)^(?:[^(\^)]*(\^)){2}(?P<bannerid>[^\^]+)"
Yes you are correct.
Am I correct in guessing that you want to extract
- 23255909 from the first event
- 23244639 from the second event