50.99.220.89
- 50.99.248.89 - - [12/Jun/2019:08:27:13 -0400] "POST /ccc67/JJ/U7UY/BCFUVGYUYGI11HTTP/1.1" 500 6629
abcdef.us12345
v1
v2
How can I extract v1 and v2 from the events?
v2 always starts with abc and has 5 digit port number.
Please guide, thanks.
Use the backtick before and after your line to show all special characters
Hi reverese,
Can you please modify your question using a backtick character before and after your sample line?
But here's what you can do with the rex command:
| rex "^(?<v1>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*(?<v2>abc\S+\d{5})$"
can I use single rex to extract both v1 and v2 for each raw line ?
In most cases, yes. Could you clarify what v1 is and what v2 is in your raw line? Is v1 an ip address? Give me an example of v1 and v2. Thanks.
I found the solution.. just added two rex .. it worked. Able to use both variables in my stats command
Ok, but if v1 = abcdef.us12345
and v2 = abcdef.us:12345
do you really need to differentiate between v1 & v2, or are you just trying to capture the data?
If you don't care you would use:
| rex ".*(?<v1>abc\S+\d{1,5})$"
If you DO care then you would use:
| rex ".*(?<v2>abc[^:]+:\d{1,5})|(?<v1>abc\S+\d{1,5})$"
V1 = 50.99.220.89 v2 = abcdef.us:12345
Much clearer... Definitely no need for 2 rex statements for that. The one I provided above in the answer works on that.
i have rex like - rex "(?xxxx|yyyy)"
When using stats by action .. my results are dividing by xxxx and yyyy.
How can I avoid this separation?
You'll need to write that more clearly, and use the backticks around your rex statement so special characters don't get removed.
What's the whole search? And what does an event look like for that search where the rex matches?
yes you can
Please guide with the mentioned example raw event
updated.. thanks!
what is v1 in your example , is it 1.1? and what is value of v2 in above example?
abcdef.us12345
abcdef.us:12345