Hello all,
I've used the field extractor to pull out the following field, but because the permissions are a little screwy I can't use it. How do I use this search expression with the Rex function to manually pull out what I want?
(?=[^P]*(?:"Required Text"|P.*"Required Text"))^(?:[^:\n]*:){7}\s+\w+\s+(?P\d+)
Apparently it's not simply rex Field =_raw "(?=[^P]*(?:Port|P.*Port))^(?:[^:\n]*:){7}\s+\w+\s+(?P\d+)"
but I'm new to this and not sure!
Thanks for any help!
Yeeaaahh, that's highly unlikely to be the optimum rex for that.
(?=[^P]*(?:"Required Text"|P.*"Required Text"))^(?:[^:\n]*:){7}\s+\w+\s+(?P\d+)
In English - Lookahead for a first something that is a bunch of not-P followed by either "Required Text" or "a bunch of Ps and Required Text". That something can be any combination of things that aren't colons or newlines, followed by a colon, with grabbing seven of those chunks in a row, then ignore one or more spaces, one or more characters, one or more spaces again, then finally grab some decimals.
Start with this - in a search, you can use as many rexes as you want to pull out individual things. If a rex fails to match anything, then the whole rex fails.
Try this -
| rex field=_raw "\b(?<myfield>[^:\n]):\s*(?<myvalue>[^\b])" max_match=0
This assumes your data looks something like this...
fieldname1: fieldvalue1 fieldname2:fieldvalue2
I wouldn't normally code it exactly like that, but without an example event I can't make it any more exact.
Yeeaaahh, that's highly unlikely to be the optimum rex for that.
(?=[^P]*(?:"Required Text"|P.*"Required Text"))^(?:[^:\n]*:){7}\s+\w+\s+(?P\d+)
In English - Lookahead for a first something that is a bunch of not-P followed by either "Required Text" or "a bunch of Ps and Required Text". That something can be any combination of things that aren't colons or newlines, followed by a colon, with grabbing seven of those chunks in a row, then ignore one or more spaces, one or more characters, one or more spaces again, then finally grab some decimals.
Start with this - in a search, you can use as many rexes as you want to pull out individual things. If a rex fails to match anything, then the whole rex fails.
Try this -
| rex field=_raw "\b(?<myfield>[^:\n]):\s*(?<myvalue>[^\b])" max_match=0
This assumes your data looks something like this...
fieldname1: fieldvalue1 fieldname2:fieldvalue2
I wouldn't normally code it exactly like that, but without an example event I can't make it any more exact.
Do you have sample data for us?