I have a search like this:
|inputlookup CSV-Generic-GenCus-GenLBL-SensitiveDataKeyWords.csv | map [search index="*" $keyword$ | eval kw=$keyword$, rex=$regex$ | regex($regex$)]
from some reason the kw field does not get a value, the kw field is displayed but It is always empty, if I look at search.log, I can see that the search is being parsed as:
( index="*" IBAN ) | eval kw=IBAN, rex="[a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}" | regex ("[a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}")
but in the results, rex does show a value, but kw does not. What am I missing here?
You need double-quotes
, like this:
|inputlookup CSV-Generic-GenCus-GenLBL-SensitiveDataKeyWords.csv | map [search index="*" $keyword$ | eval kw="$keyword$", rex="$regex$" | regex($regex$)]
You need double-quotes
, like this:
|inputlookup CSV-Generic-GenCus-GenLBL-SensitiveDataKeyWords.csv | map [search index="*" $keyword$ | eval kw="$keyword$", rex="$regex$" | regex($regex$)]
aha, I understand, that also explains why the regex was already showing up in the results, it is already enclosed by double quotes in the original CSV.
works like a charm, thanks!
There are dangers to using the subsearch syntax ( []
) instead of the normal double-quotes for map
. It involves the fact that if your outer search is streaming (most likely), your subsearch will be restarted several times. If it does something like send an email with sendemail
, you may find that it emails many times instead of the single time that you expected.
Show the output of this command:
|inputlookup CSV-Generic-GenCus-GenLBL-SensitiveDataKeyWords.csv | head 2
Thanks for looking into this, that search gives me:
IBAN [a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}
AccountNumber [a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}