It seems that there is no way to extract fields with a '.' in the name.
I'm trying to use field extractors on our older data to create fields matching the newer data json fields.
{ "pirate": { "say ": "Shiver me timbers" } }
pirate.say = "Shiver me timbers"
To test this you can to do is something like this:
| metadata type=hosts index=_internal
| head 1
| eval message="Shiver me timbers, goes the pirate"
| table message
| rex field=message "(?<pirate.say>[^,]+)"
But all I get for my efforts is the same error message in both the 'rex' prototype described above and 'Field extractions' page.
From the 'rex' prototype I get:
Error in 'rex' command: Encountered the following error while compiling the regex '(?<pirate.say>[^,]+)': Regex: syntax error in subpattern name (missing terminator)
From the 'Fields » Field extractions » Add new' I get:
Encountered the following error while trying to save: Regex: syntax error in subpattern name (missing terminator)
So any thoughts on how I can solve this one?
... View more