Solved: How to edit my regex to extract this value from my...

ibekacyril · ‎04-07-2016

This should be an easy thing to do but obviously, I am missing it. I need to extract "cannot be located"

c.f.a.k.m.SessionDaoImpl - The owner with id: s3498-34ef-034456d-c65a5678-fcd4-11e5-a5d4f cannot be located

[2016-04-07 15:41:44,760]

Here is my code:

my search | rex  "c\.f\.a\.k\.m\.SessionDaoImpl\s\-\sThe\sowner\swith\sid:\s[\w+\d+]\s(?<captureThis>\w+)"\[

Thanks in advance

javiergn · ‎04-07-2016

Try this instead:

my search 
| rex "(?msi):\s+[\w\-]+\s+(?<message>[\w\s]+)"

And then use the message variable as you wish.

EDIT to include code description as requested:

(?msi) --> support for multiline, "single line mode" makes the dot match all characters including line breaks, case insensitive
:\s+ --> find a colon followed by multiple blank spaces
[\w\-]+\s+ --> Look for 1 or more alphanumerical characters or hyphens followed by 1 or more blanks
(?<message>[\w\s]+) --> capture in the token message 1 or more alphanumerical or blank space characters

View solution in original post

javiergn · ‎04-07-2016

Try this instead:

my search 
| rex "(?msi):\s+[\w\-]+\s+(?<message>[\w\s]+)"

And then use the message variable as you wish.

EDIT to include code description as requested:

(?msi) --> support for multiline, "single line mode" makes the dot match all characters including line breaks, case insensitive
:\s+ --> find a colon followed by multiple blank spaces
[\w\-]+\s+ --> Look for 1 or more alphanumerical characters or hyphens followed by 1 or more blanks
(?<message>[\w\s]+) --> capture in the token message 1 or more alphanumerical or blank space characters

ibekacyril · ‎04-07-2016

Hi javiergn, I am only able to extract doesn. Could you explain you code too?
Thanks

ibekacyril · ‎04-07-2016

Just tweaked it and got "doesn't exist" by adding \'. How can I tweak it to get:
The owner with id doesn't exist

Thanks

javiergn · ‎04-07-2016

Hi,

I'm not sure what you mean. For instance, if I run the following in order to replicate your logs:

| stats count
| eval _raw ="c.f.a.k.m.SessionDaoImpl - The owner with id: s3498-34ef-034456d-c65a5678-fcd4-11e5-a5d4f cannot be located [2016-04-07 15:41:44,760]"
| rex "(?msi):\s+[\w\-]+\s+(?<message>[\w\s]+)"
| table message

I get the output:

message
cannot be located

Isn't that what you are trying to achieve?
If not, can you post your whole query here so that we can investigate a bit more?

Thanks,
J

ibekacyril · ‎04-08-2016

Hi J, I finally got it working. Thanks, it was my mistake

ibekacyril · ‎04-08-2016

Hi J, is there a way of combining two rex searches together say the first one like above and then I have this second rex "[Status] .+? - (?.+)" | code that combines message and output into one name (outMessage)

javiergn · ‎04-09-2016

You could do something like:

your search here
| rex "(?msi):\s+[\w\-]+\s+(?<message>[\w\s]+)"
| rex "\[Status\] .+?\-(?<output>.+)"
| eval outMessage = message + output

Careful with your regex by the way. If you don't escape the special characters it won't work as expected.

How to edit my regex to extract this value from my data?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...