Hi All,
I'm trying to extract a field. However, the field I want to extract isn't at the same location each time. I thought I would try to do a regex on the string only without the field number.
The string I am trying to match is similar to below:
ABCS-3-ABCD_A
ABCDS-2-DFESAC
OSBFSASD-9-SDS_DSA
This is what I came up with, but it's not working:
^(?:[^[\w+]-\d-[\S+]*)(?P[^:]+)
Any help would be appreciated.
I am guessing the string that you are trying to match always starts with '%'
| makeresults
| eval string="Sep 18 22:12:48 hostname.domain : hostname.domain %STRANG-A:FD %SESDA-9-BSCS: A bunch of text that doesn't matter."
| rex field=string ".\%(?[A-Z-0-9_]+)."
| table string extract
This should give you the string(SESDA-9-BSCS)
Before [A-Z-0-9_] and after the ? , please add (without spaces) - surprisingly that was taken out on its own.
add 'extract' - enclosed in <>
The regex string ".*" matches your examples, but is probably not what you need. Please provide complete events that put your target strings in context. Specify what you want extracted from the events. If you describe what you want in words, someone should be able to convert that into a regex.
I figured it out. Thanks for the help.
@itionet
I'm glad you figured out an answer to your question. Would you mind creating an answer post describing how you were able to solve your problem and then approving it? That way, others could learn from your problem in the future.
Thanks!
Hi.. maybe, you can update your REX command(as an answer), so that it will be helpful for others in the future.. and then please accept your answer as accepted answer
So, this is basically what I'm looking at:
Sep 18 22:12:48 hostname.domain %STRING-A:WD %SECSD-4-DS_S: A bunch of text that doesn't matter.
Sep 18 22:12:48 hostname.domain %STRONG-A:SD %LOSSD-3-DACS: A bunch of text that doesn't matter.
Sep 18 22:12:48 hostname.domain %STRANG-A:FD %SESDA-9-BSCS: A bunch of text that doesn't matter.
Sep 18 22:12:48 hostname.domain : hostname.domain %STRANG-A:FD %SESDA-9-BSCS: A bunch of text that doesn't matter.
As you can see the string I want to pull out is usually in position 5, the first one being SECSD-4-DS_S. However, sometimes it is in position 6. I want to pull it out of the string no matter the position. The string will always be some number of uppercase letters followed by a - (dash), followed by a digit, followed by another dash, and then some number of uppercase and non-alphanumeric characters.
Thanks.