Field extractions: How to use same fieldname multi...

saxenaamit · ‎04-28-2016

There is a regular expression which is extracting a user field ( Field Extractor). This is basically a combination of 2 different regular expressions that are joined with an OR condition.

(?i)\[.*?\],? ?(?P[a-z_-]+)(?=\])|(?i)\(.*?\..*?\) \[(?P[A-Z_-]+)\]

Problem: I want to use the same variable name, but in order to make it work currently, I need to use 2 different names ( user1 and user2) as below.

(?i)\[.*?\],? ?(?P[a-z_-]+)(?=\])|(?i)\(.*?\..*?\) \[(?P[A-Z_-]+)\]

Can you suggest a solution to make it work just with one fieldname variable?

Thanks,

aholzel · ‎05-09-2016

If you add the "J" option at the start of the regex you can use the same field name multiple times.

so it would become

(?iJ)\[.*?\],? ?(?<user>[a-z_-]+)(?=\])|(?iJ)\(.*?\..*?\) \[(?<user>[A-Z_-]+)\]

richgalloway · ‎04-28-2016

In my experience, regex strings cannot use the same capture name more than once even if an OR condition means only one group will be used.

---
If this reply helps you, Karma would be appreciated.

vasanthmss · ‎04-28-2016

could you post some sample data?

V

saxenaamit · ‎04-28-2016

Here is the string and CC_TESTDZKO, CC_ASAXENA are the users, I am trying to read through field extractor .

(manager.ManagerImpl) [xxxx_B], CC_TESTDZKO [CC_ASAXENA]

Thanks,
Amit Saxena

Field extractions: How to use same fieldname multiple times in a one long regular expression?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...