731/5000
How to extract a field that can contain letters, numbers and characters, as in the example below?
The field to extract is the policyName that always comes preceded by the instanceId field.
Ex:
policyName = Unrestricted Inbound Access on network security groups instanceId = 5313
policyName = Unrestricted MongoDB Access in network security groups instanceId = 5313
policyName = [Exchange] - CPF totalMatchCount = 12 instanceId = 5319
policyName = Unencrypted OS disks instanceId = 5313
policyName = Check Disable Telnet (port 23) access on Network Security Groups from Internet instanceId = 5313
I have tried several ways, but it is only extracting the first word after the "=" sign, eg. "[Exchange]", "Unrestricted", etc ...
Can anyone help?
Thank you very much in advance.
| makeresults |eval x="Ex: policyName = Unrestricted Inbound Access on network security groups instanceId = 5313
policyName = Unrestricted MongoDB Access in network security groups instanceId = 5313
policyName = [Exchange] - CPF totalMatchCount = 12 instanceId = 5319
policyName = Unencrypted OS disks instanceId = 5313
policyName = Check Disable Telnet (port 23) access on Network Security Groups from Internet instanceId = 5313" | rex field=x "policyName+\s+\=(?<pname>.*?)instanceId" max_match=0
To extract the field in inline mode.
I used this REGEX:
(?:policyName = (?P<policy>.*)instanceId)
Thank you very much.
| makeresults |eval x="Ex: policyName = Unrestricted Inbound Access on network security groups instanceId = 5313
policyName = Unrestricted MongoDB Access in network security groups instanceId = 5313
policyName = [Exchange] - CPF totalMatchCount = 12 instanceId = 5319
policyName = Unencrypted OS disks instanceId = 5313
policyName = Check Disable Telnet (port 23) access on Network Security Groups from Internet instanceId = 5313" | rex field=x "policyName+\s+\=(?<pname>.*?)instanceId" max_match=0
Hi Sukisen!
It worked in search time. But inline extract does not. What would it look like for extract inline?
Thank you.
James
hi @jfeitosa_real
It should work in inline search as well.
Is the inline search a table in a dashboard? If yes, check the time range of the search
it could be that your logs are multispaced in that case use this regex - rex field=x "(?ms)policyName+\s+\=(?<pname>.*?)instanceId" max_match=0
Hi @Sukisen1981 .
In fact it is to extract the field without research.
I got it this way:
(?:policyName=(?P<policy>.*)instanceId)
Thanks for your attention, your example helped me find this result.
Thank you very much.
James []s