Hi, I have a search string that does the following:
temperature sourcetype=kaa | rex field=_raw "\"endpointKeyHash\":{\"string\":\"(?[^\"])\".\"Event\": (?{.*})$" | spath input=mydata | table _time, temperature, endpoint
The results will have 3 columns as _time, endpoint, temperature.
Under endpoint, it will reflect something like MASHjkasdhfa=.
I wanted to extract just MASHjkasdhfa but I can't do it with (?[^=]*)? How should I phrase it?
Hi wuming79,
sorry, could you share an example of your logs?
in addition could you format as Code Sample you regex, because isn't readable.
Bye.
Giuseppe
You are probably using .*
to capture the field, switch this to [^=]*
instead.
Hi wuming79,
sorry, could you share an example of your logs?
in addition could you format as Code Sample you regex, because isn't readable.
Bye.
Giuseppe
Hi,
The log is in this format under _raw field. Sorry, how do I paste it as Code Sample?
2641328 [EPS-log-dispatcher-11] INFO 1.24978294676695149906 - {"Log Header": "{"endpointKeyHash":{"string":"MAz7MadOhr02tPt5vtZsSEy9FWw="},"applicationToken":{"string":"24978294676695149906"},"headerVersion":{"int":1},"timestamp":{"long":1495594584490},"logSchemaVersion":{"int":2}}","Event":{"temperature":-1,"timeStamp":1495594583638}}
Hi wuming79,
if I correctly understand: you want to extract the string between double quotes after endpointKeyHash and String, correct?
if this is your need, your regex is
endpointKeyHash\":\{\"string\":\"(?<endpointKeyHash>[^\=\"]*)
you can test it at https://regex101.com/r/rbE3YH/1
When you insert a regex in a message, you have to select it and click on the "Code Sample" button (the one with 101010 numbers): in this way it's possible to see special characters.
Bye.
Giuseppe
Thanks Giuseppe. I got it now.
Use following rex to extract text before "=" symbol
|rex field=endpoint "(?<extracted_endpoint>.+?)="
Try using regex101 for generating rex in future
Not sure why my original question was not updated. I need to correct my search string which is
temperature sourcetype=kaa_file | rex field=_raw "\"endpointKeyHash\":{\"string\":\"(?[^\"])\".\"Event\": (?{.*})$" | spath input=mydata | table _time, temperature, endpoint
I tried replacing "(?[^\"]*) with "(?.+?)=" and it works. But what does .+?)= means? I thought everything that I wanted to extract should be within the ( )?
Go to regex101.com and enter your string and the regex. It will tell you exactly what each of the different symbols are doing on the right hand side of the extraction. Cheers.