Solved: Regex file name after space

jacqu3sy · ‎03-29-2018

Hi,

Regex wimp here...

I need to extract the file name after the word detected fro ma _raw event.

Example of _raw log;

change to a file has been detected /etc/fileinquestion.conf

I've tried the following but it errors;

| rex field=_raw "detected\s*(?*)"

Any helps appreciated. Thanks.

p_gurav · ‎03-29-2018

Hi can you try:

    | rex field=_raw "detected\s*(?P<filename>.*)"

tiagofbmm · ‎03-29-2018

Considering that your message might vary the part before the file name, i think you should use a negative lookahead style, like this

 | rex field=_raw "(?=\/)(?P<filename>.*)"

jacqu3sy · ‎03-29-2018

It works, but I'm not sure how!? Would you mind explaining what the (?=\/) achieves?

tiagofbmm · ‎03-29-2018

It says to the regex processor to not capture anything until it finds the /.

It is more agile than assuming the logs always have the word "detected". But it's up to your specific scenario though.

If it suits you, please upvote the answer as it is a valid option

jacqu3sy · ‎03-29-2018

Great. Thanks.

p_gurav · ‎03-29-2018

Hi can you try:

    | rex field=_raw "detected\s*(?P<filename>.*)"

jacqu3sy · ‎03-29-2018

Worked a treat. Thanks.

p_gurav · ‎03-29-2018

Please accept answer if its helpful.. 🙂

Regex file name after space