The log contains string in this format below.
name:X_device:Y_
name-U:X1_Y2_
It has a mixed pattern, and I'm wondering how to use wildcard if I do the regex for name and device in a string (inside double quotations) like below?
rex "name *wildcard* (?<name>\w*)_"
rex "device *wildcard* (?<device>\w*)_"
This should do it. (runanywhere sample search. Replace everything before rex with your search)
| gentimes start=-1 | eval raw="name:X_device:Y_#name-U:X1_Y2_" | table raw | makemv raw delim="#" | mvexpand raw | rename raw as _raw
|rex "name[^:]*:(?<name>[^_]+)_(device:)*(?<device>[^_]+)"
This should do it. (runanywhere sample search. Replace everything before rex with your search)
| gentimes start=-1 | eval raw="name:X_device:Y_#name-U:X1_Y2_" | table raw | makemv raw delim="#" | mvexpand raw | rename raw as _raw
|rex "name[^:]*:(?<name>[^_]+)_(device:)*(?<device>[^_]+)"
Thank you! This works!
The concept of "wildcard" is more refined in regex so you just have to use the regex format. If you expect 0 or more repetitions of any character, for example, you would use .*
instead if just *
.
In regex, *
means 0 or more repetition of any character preceding it; in one of your examples, name *wildcard*
, the first "*" represents 0 or more white spaces, whereas the second "*" represents 0 or more letter "d". If you want your "wildcard" to represent any character in any repetition, you precede "*" with special character ".", which in regex can represent any singe character.
Hey @limalbert, Please format any search/code/data sample that you post using code button (button with '101010' above the editor) or by pressing Ctrl+K.
In the 2nd example, there is no keyword for device, is that correct or typo? Are you looking for wildcarding the one which I highlighed here: name**:**X
and name**-U:**X1
??
Hi @somesoni,
I edited the question.
For the second example for device, there is no keyword, and that's why it's a little bit difficult. I found another alternate to wildcard by using this (?:[^/]+)?. I successfully use this to get name field, but I'm still working on the device since it doesn't have keyword.
rex "name(?:[^/]+)?:(?<name>\w*)_"
Give this a try (single rex to extract both)
rex "name[^\:]+\:(?<name>\w+)_(device\:)*(?<device>\w+)"
Sorry, the output for device is actually only "Y". It only give the one with keyword, but it doesn't give the one without keyword.
Can you help me understand what you did after name? Specifically this one, [^:]+.
Also, it works to get only the first device, so the only output is device:Y.