Solved: How to escape the end bracket using rex?

rbdev · ‎06-20-2018

I've read the threads on escaping the parens and the such. But I'm trying to do the "]". I thought I would be able to just swap the ")" for "]" in the rex command but it doesn't work.

Line: ....[Status: 4] [myfield2: myvalue2][myfield3:myvalue3] [myfield4:myvalue4]

So I've tried the following to extract field2 as value2. The closest one I get is the first and second one. I get the field to extract, but it doesn't cut off on the "]" after it (so the values look like: myvalue2][myfield3:myvalue3] [myfield4:myvalue4])

rex field=_raw "myfield2: (?<myextractvalue2>.*)\\]"

rex field=_raw "myfield2: (?<myextractvalue2>.*)\]"

rex field=_raw "myfield2: (?<myextractvalue2>\w)\\]"

Any help would be greatly appreciated. Thanks.

cpetterborg · ‎06-20-2018

Try:

rex field=_raw "myfield2:\s*(?<myextractvalue2>[^\]]*)"

or

rex field=_raw "myfield2:\s*(?<myextractvalue2>.*?)\]"

View solution in original post

poete · ‎06-20-2018

Hello,

this should do :

| makeresults 
| eval someField="[Status: 4] [myfield2: myvalue2][myfield3:myvalue3] [myfield4:myvalue4]"
| rex field=someField "myfield2: (?<myextractvalue2>[A-Za-z0-9]+)" 
| rex field=someField "myfield3:(?<myextractvalue3>[A-Za-z0-9]+)"
| rex field=someField "myfield4:(?<myextractvalue4>[A-Za-z0-9]+)"

cpetterborg · ‎06-20-2018

Try:

rex field=_raw "myfield2:\s*(?<myextractvalue2>[^\]]*)"

or

rex field=_raw "myfield2:\s*(?<myextractvalue2>.*?)\]"

rbdev · ‎06-20-2018

EXCELLENT!! Thank you! The second actually worked better for me. The first one sometimes cut the value for some reason. But the second one perfect!

How to escape the end bracket using rex?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases