I am working to extract a field that at times is surrounded by quotes. This means I have either; operation or "operation". I have attempted the following:
Log Example:
operation="status"
operation=status
operation="?(?P<operation>"?[^\,]+),
Doing this does is close but on the fields with quotes, the closing quote is included which I did not want. My thought is to just do two extractions with the same name which is not ideal for me. I am extracting until a comma, which is either after the end of the string or after the closing quote.
Edit: I do not want to do anything at search time, I want the values to be correct for other users with limited knowledge.
Right now you have the optional closing quote inside of your capture parenthesis. Try moving it outside with something like this:
operation="?(?<operation>[^\,"]+)"?,
See the working example here: https://rubular.com/r/KvJKsg4drQl51V
Right now you have the optional closing quote inside of your capture parenthesis. Try moving it outside with something like this:
operation="?(?<operation>[^\,"]+)"?,
See the working example here: https://rubular.com/r/KvJKsg4drQl51V
This works perfect, I had attempted something similar but I had: operation="?(?<operation>[^\,]+)"?,
. I was missing a quote in the expression so I was getting the closing quote in my result. Thanks.
Try this :
<your search> | rex "operation=(|\")(?<operation>[^(|\")]+)"
OR
<your search> | rex "operation=(|\")(?<operation>\w+)"
let me know if this helps!
Hi aohls,
could you share an example of your logs?
Anyway, you have two choices:
Something like this:
| index=my_index
| rex "operation\=\"(?<operation1>[^\"]*)"
| rex "operation\=(?<operation2>[^,]*)"
| eval operation=coalesce(operation1,operation2)
| ...
Bye.
Giuseppe
you can just try a replace after the operation is extracted
| eval operation=replace(operation,"\"","")
I am hoping to accomplish this within the extraction and avoid any search time requirements.