Hi Everyone:
I'd like to extract everything before the first "=" below (starting from the right):
sender=john&uid=johndoe
Note: I will be dealing with varying uid's and string lengths.
Any assistance would be greatly appreciated.
Regular expressions work left-to-right so what you want is everything after the last "=". Or is it more precise to say you want the UID string? If the latter, try this:
| rex "&uid=(?<uid>.*)"
Plan A:
| makeresults
| eval _raw="something_time something test=foobaa&sender=john&uid=johndoe"
| extract pairdelim="&" kvdelim="="
| eval uid_length=len(uid)
It may not be so easy, I tried to extract from _raw
.
Plan B:
| makeresults
| eval your_field="foobaa&sender=john&uid=johndoe"
| eval tmp=mvindex(split(your_field,"&"),mvfind(split(your_field,"&"),"uid"))
| eval uid=mvindex(split(tmp,"="),1)
| eval uid_length=len(uid)
All plans are REGEX-free
Even more generic, try this:
| rex "(?<last_word>[^=]+$)"
Regular expressions work left-to-right so what you want is everything after the last "=". Or is it more precise to say you want the UID string? If the latter, try this:
| rex "&uid=(?<uid>.*)"
This worked, thank you so much!