topic Extracting multiple values from Rex in Reporting

Extracting multiple values from Rex

nirmeshsolanki — Fri, 16 Oct 2020 19:44:06 GMT

Hello,

Looking for some assistance with the existing query
rex max_match=0 field=_raw "IP BLOCK TYPE\",value=\"(?<IP_Block_Type>.*?)\s*(\w*+)\]"|
eval IP_Block_Type= substr(IP_Block_Type, 1, len(IP_Block_Type)-1)

This query gives us a column with outputs

Need assistance with pulling exact details in the column which will only have "OVERRIDE".

Thanks

Re: Extracting multiple values from Rex

somesoni2 — Fri, 16 Oct 2020 19:52:05 GMT

What's the raw data for which your regex currently extract those field values?

Give this a try as well.

rex max_match=0 field=_raw "IP BLOCK TYPE\",value=\"(?<IP_Block_Type>[^\"]+)"

Re: Extracting multiple values from Rex

nirmeshsolanki — Fri, 16 Oct 2020 20:37:57 GMT

@somesoni2 The query you provided, gives me all the possible results which come under IP_BLOCK_TYPE

Re: Extracting multiple values from Rex

nirmeshsolanki — Fri, 16 Oct 2020 20:44:42 GMT

@somisoni2 the query you provided gives me "Publi" and "Privat" outputs in the table.

Re: Extracting multiple values from Rex

Nisha18789 — Fri, 16 Oct 2020 21:25:53 GMT

Hi @nirmeshsolanki , my bad but I am not sure what result you are expecting in field IP_Block_Type in final output, can you share the expected output you are looking for.

Re: Extracting multiple values from Rex

nirmeshsolanki — Fri, 16 Oct 2020 21:35:52 GMT

Hi @Nisha18789 , I am looking for an output "OVERRIDE" in the column IP_BLOCK_TYPE.

so we have the below outputs in the column:

Public

Private",descendants_action={option_with_ea:"INHERIT",option_without_ea:"NOT_INHERIT"},operation="OVERRIDE

Public",operation="OVERRIDE

But I am just looking for values containing OVERRIDE.

Thanks

Re: Extracting multiple values from Rex

to4kawa — Sat, 17 Oct 2020 00:32:15 GMT

| rex "(?<your_want>\bOVERRIDE\b)"
| where isnotnull(your_want)
how about this?

Re: Extracting multiple values from Rex

Nisha18789 — Sun, 18 Oct 2020 14:13:45 GMT

Hi @nirmeshsolanki , can you try this and let me know if it works

|rex field=_raw "operation=\"(?<IP_Block_Type>.\w+)\""
|where isnotnull(IP_Block_Type)

Re: Extracting multiple values from Rex

nirmeshsolanki — Tue, 20 Oct 2020 08:05:10 GMT

Worked perfectly.

Thanks a lot.

Re: Extracting multiple values from Rex

nirmeshsolanki — Tue, 20 Oct 2020 14:03:17 GMT

Hi @Nisha18789

Thanks a lot for the help in the previous query, I missed adding one more detail on the previous post which is :

Messages which I see in my column:

1.[name="IP BLOCK TYPE",value="Private",operation="OVERRIDE"]

2.[name="IPBLOCKTYPE",value="Public",descendants_action={option_with_ea:"INHERIT",option_without_ea:"NOT_INHERIT"},operation="OVERRIDE"]

Your solution works perfectly for 1st logic, need to add some query to the second option which would block descendants_action in the query which you provided earlier.

Thanks a lot again.