Using the Akamai app, and the configuration 'akamai-access-combined-extractions' uses:
[[all:other]]
... to capture a field that contains two pipe-separated values, where the pipe character indicates the end of each string:
"1_2141|959006|"
Trying to modify the config to split the field into two, but my regex kung fu is pretty weak. I tried this:
(?:[$|]+[[all:waf_version]]++[[all:waf_rule]]++)
... but I ran into a 'Regex: range out of order in character class' error.
Thoughts on how to fix?
Is it possible to perform search-time field extraction using RegEx? I know this not what you are asking but possibly another solution...
If so you could use something like:
*|rex field=test "(?<test1>\d+\_\d+)\|(?<test2>\d+)\|"
This will works assuming the strings are built-up of ...
{(one or more digit)(underscore)(one or more digit)} (pipe) {(one or more digit)}
So this works on the following types of data:
1_211|959006|
1_2141|959006|
1_21|959006|
1_2141|9590|
1_2141|959006|