I need to extract fields from a set of results with inconsistent formatting. I think this would be easy for a regex pro.
Here are two events:
Jul 17 15:44:01 hostname 192.168.0.1 [st2-b3-inter-d005][system][error] trans(119657588)[192.168.0.2]: Unable to open URL
Jul 17 15:44:01 hostname 192.168.0.1 [network][error] trans(2064751791): Host connection could not be established
I need multiple extractions for the data within the first set of brackets (separated by the dash) in event 1. You'll see that event 2 doesn't contain this type of data at all.
Basically I need a regex that says "Match everything between the first [ and first - but not if there are more than 3 characters before the -"
I'm basically a regex noob!
Thanks!
This should do it:
\[([^-]{0,3})-
Hahah you helped me!
You rock.. thanks a lot. I need to get this regex stuff down.
I did nothing to you! 😉
No, sure. The regex first looks for the opening bracket, which has to be escaped because [ is a special character in regexes otherwise.
\[
Then the matching starts. We're looking for characters that are NOT the dash sign.
\[([^-]
Match if we find at least 0 and at most 3 non-dash characters.
\[([^-]{0,3}
End our matching group, and only match if this is immediately followed by a dash sign.
\[([^-]{0,3})-
I hope that sheds some light on how the regex is built step by step.
Is there any way you could explain what you did to me? Because I have to build extractions for the data in the separate sections (separated by -) in that bracket.
Awesome, fast answer btw.
The field extractor wants a named extraction for FIELDNAME if I remember correctly, so:
\[(?P<FIELDNAME>[^-]{0,3})-
Wow, fast response! How would I use that in the field extractor?