Hi ,
For logs such as below please help me in extracting the data enclosed within double quotes.
Contact Dealership Name="Amery",Role= "IT_Deal"
Contact Dealership Name="US",Role= "IT_Deal"
Contact Dealership Name="J. Nuckolls, Inc. dba Fenton Auto Sales",Role= "IT_DEAN"
I tried using rex field=_raw "Contact Dealership Name=\"(?[^,]+)\""
But the results are as below :
Dealership_Name
Amery
US
but J. Nuckolls, Inc. dba Fenton Auto Sales is not included in the result.
how the rex_field has to be modified to capture that also
Hey @Deepz2612
Try this, you will be able to extract dealership name and role in one regex
| rex field=_raw “Contact\sDealership\sName=(\"|\s)(?P<ContactDealershipName>[^\"]+)\",Role=(\s|)\"(?P<Role>[^\"]+)”
Let me know if this works!
Hey @Deepz2612
Try this, you will be able to extract dealership name and role in one regex
| rex field=_raw “Contact\sDealership\sName=(\"|\s)(?P<ContactDealershipName>[^\"]+)\",Role=(\s|)\"(?P<Role>[^\"]+)”
Let me know if this works!
@mayurr98, max_match=0
needs to be added in case this is a single event. Contact Dealership Name does not have space after equal to sign and before double quotes. However Role has a space before double quotes. So, the following regex should also work.
You have special character double quotes in the code above for regular expression convert to simple double quotes "
@Deepz2612, following is the run anywhere search based on your sample data:
| makeresults
| eval _raw="Contact Dealership Name=\"Amery\",Role= \"IT_Deal\"
Contact Dealership Name=\"US\",Role= \"IT_Deal\"
Contact Dealership Name=\"J. Nuckolls, Inc. dba Fenton Auto Sales\",Role= \"IT_DEAN\"
"
| rex "Contact\sDealership\sName=\"(?<contact_dealership_name>[^\"]+)\",Role=\s\"(?<role>[^\"]+)\"" max_match=0
Great!
Thanks @niketnilay. this worked and thank you so much for helping me out.
Try the following regex:
Contact Dealership Name=\"(.+?)\"