I have an auto-extracted field name of "conn" (conn=12345), but if the connection is SSL, then the field name becomes "conn[SSL/TLS]". I'd like to use that field name while doing things like transaction, but i cant find any way to get around those square brackets. I've tried double quotes, single quotes, dollar signs, renaming it to "conn", field alias to "conn", escaping the brackets. I assume I need rex, but
I don't know where to start.
Ideally I'd like a search of "conn=12345" to include both field names (conn & conn[SSL/TLS] as if they were one, but I'd settle for a successful rename (conn=12345 OR connSSLTLS=12345).
In your field extraction, try the regex for the conn field:
conn(?:\[[^\]]+\])?=(?<value_to_extract>[0-9]+)
Breaking the regex down:
For the field to be extracted, [0-9]+ will capture every numeric character after the "=", but if you expect any non-numeric characters you'll have to account for that.
In your field extraction, try the regex for the conn field:
conn(?:\[[^\]]+\])?=(?<value_to_extract>[0-9]+)
Breaking the regex down:
For the field to be extracted, [0-9]+ will capture every numeric character after the "=", but if you expect any non-numeric characters you'll have to account for that.
This can handle the very simple rename option:
| rename "*[*/*]*" AS ****