I'm facing a problem with rex and working through many many threads which didn't help me to solve this issue.
I have logs with attribute based xml (xacml) and want to extract a value, which can be found after 2 special key-phrases in 2 lines.
Here is an log example, which should help to understand this issue.
Well, I can get every value by this simple rex-command.
rex max_match=0 "string\">"(?<parameter>.*?)</xacml-ctx:AttributeValue>
But I only need value2, which can clearly identified by the name "function2" in the line above.
By other examples i know this rex command should start with:
rex field=_raw ".*function2(?:\n|.)*
The expression (?:\n|.)* matches any sequence of characters, including a newline.
Next is a kind of verify/bridge-statement. (?=string\">)
The expression (?=string\">) checks that the previous expression is followed by string\"> , without "eating up" the match, so it is left for the next expression to pick up
And last my known search and extract string.
"string\">"(?<parameter>.*?)</xacml-ctx:AttributeValue>
But putting all parts together doesn't work.
rex field=raw ".*function2(?:\n|.)*(?=string\">)"string\">"(?<parameter>.*?)</xacml-ctx:AttributeValue>"
What's the reason? Could it be a simple probleme of connecting statements together?
... View more