- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Field Extraction Regex - optional fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm terrible with Regex's and can't figure out what is wrong with mine...
I have this Regex:
(?P<date>[^,\n]+),\d*--(?P<account>[^,]+),(?P<provider>[^,]+),(?P<product>[^,]+),(?P<service_username>[^,]*),(?P<billing_status>[^,]+),(?P<activities>[^,]*),(?P<requests>[^,]*),(?P<days>[^,]*),(?P<ruuid>[^,]*)
Currently working fine for events like:
2014-04-03,1034--account,provider,product,username,Billable,10073107,,19,e5xwcmhbrk,
We've added another field to the end that is optional for some events (80--parent below):
2014-04-03,1307--account,provider,product,username,Billable,1614,0,,,80--parent
I can't figure out how to extract that "parent" value when it exists (I don't want the preceding "80--". It should work exactly as the 1304--account works in the currently functioning regex. When I try to essentially copy that part of the functioning regex, my queries only return the events that have that parent field name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this.
"^(?P<date>[^,\n]+),\d+--(?P<account>[^,]+),(?P<provider>[^,]+),(?P<product>[^,]+),(?P<service_username>[^,]*),(?P<billing_status>[^,]+),(?P<activities>[^,]*),(?P<requests>[^,]*),(?P<days>[^,]*),(?P<ruuid>[^,]*)[,\d-]*(?P<parent>.*)"
Updated answer
This will be scalable. For every new field to be added at the end of event, your can add "[,\d-]*(?P<newFieldName>[^,]*)" to the regex.
"^(?P<date>[^,\n]+),\d+--(?P<account>[^,]+),(?P<provider>[^,]+),(?P<product>[^,]+),(?P<service_username>[^,]*),(?P<billing_status>[^,]+),(?P<activities>[^,]*),(?P<requests>[^,]*),(?P<days>[^,]*),(?P<ruuid>[^,]*)[,\d-]*(?P<parent>[^,]*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this.
"^(?P<date>[^,\n]+),\d+--(?P<account>[^,]+),(?P<provider>[^,]+),(?P<product>[^,]+),(?P<service_username>[^,]*),(?P<billing_status>[^,]+),(?P<activities>[^,]*),(?P<requests>[^,]*),(?P<days>[^,]*),(?P<ruuid>[^,]*)[,\d-]*(?P<parent>.*)"
Updated answer
This will be scalable. For every new field to be added at the end of event, your can add "[,\d-]*(?P<newFieldName>[^,]*)" to the regex.
"^(?P<date>[^,\n]+),\d+--(?P<account>[^,]+),(?P<provider>[^,]+),(?P<product>[^,]+),(?P<service_username>[^,]*),(?P<billing_status>[^,]+),(?P<activities>[^,]*),(?P<requests>[^,]*),(?P<days>[^,]*),(?P<ruuid>[^,]*)[,\d-]*(?P<parent>[^,]*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The correct regex is:
"(?P
*),(?P
The entire extra argument is encased in one "(?: ... )?". The other regexes suggested above allow invalid things, such as just "5-5,5-5,parent"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the events where this field is not present,comma is also not present so its options here. See the updated answer for scalable regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works. Will this easily allow me to add other fields? Seems weird that its not comma-delimited like everything else
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
