Re: How to write the regex to extract a field with...

Cuyose · ‎08-03-2015

I haven't a clue why I cannot find this particular issue. I would think it would come up all the time. I want to extract text into a field based on a common start string and optional end strings.

Based on these 2 events, I want to extract the italics
Message=Layer SessionContext was missing. Key searched for was kt2oddg0cahtgoo13aotkf54.
Message=Could not derive start call POS key from: TPID=37, EAPID=0, SourceCode=TA, CID=, Brand=EAI

In other words, if there is an end string that matches Key, get everything before it and the beginning string, otherwise just grab it all up to /n

These will work, but I cannot get them combined.

 rex field=_raw "(?i)Message=(?P<testMessage>.*?)\bKey"
 rex field=_raw "(?i)Message=(?P<testMessage>.*?)\n"

woodcock · ‎08-03-2015

Try this:

rex field=_raw "(?i)Message=(?<testMessage>.*?)(?:\bKey|\n)

bmacias84 · ‎08-03-2015

?: is a non-capturing group.

Cuyose · ‎08-03-2015

Perfect, I am not sure why I couldnt find the (?:\bKey|\n)" syntax.

so in the above the "(?:" portion is stating an optional lookbehind?

woodcock · ‎03-13-2018

Also, @Cuyose, you should click Accept to close the question and let people find working answers more easily.

woodcock · ‎08-03-2015

No, the (?:) syntax says "treat this as a group but not a capture-group". So it says that the thing before it must end with either \bkey or with \n. There is no need for lookbehind.

How to write the regex to extract a field with optional end anchors?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases