I have my log like
params=All Items | ABC | 2019-01-29 | | | | | | | = | | = | | | | | | ,uri=/api/items
this is my rex field in search
rex field=_raw"params\=(?<parameters>[^=]+)(?=\,uri)"
I expect parameters to save everything between "params=" and ",uri=/api/items"
parameters=All Items | ABC | 2019-01-29 | | | | | | | = | | = | | | | | |
but when i perform search it completel ignores all characters after equals to (=) symbol and shows only
All Items | ABC | 2019-01-29 | | | | | | |
how should i fix my rex to include = as part of my search result
Use the below rex command
rex field=_raw "params=(?<parameters>.*),uri="
Use this instead:
... | rex "params\=(?<parameters>.+?)(?=\,uri)"
OR
... | rex "params\=(?<parameters>.+)\,uri="
Use the below rex command
rex field=_raw "params=(?<parameters>.*),uri="