I need to capture both "D" OR "=" using (D|=).
Editing the regex of the field extractor this works:
=(?P<FIELDNAME>[a-zA-Z0-9_.]+)[_.]geom
But why does this not work?
(D|=)(?P<FIELDNAME>[a-zA-Z0-9_.]+)[_.]geom
Its returns:
Invalid regex: no named extraction at position 0 (i.e., "(D|=)(?P<F..."). Expected "(?P<variable>pattern)"
Not sure why but the same regex using "(x|y)" that did not work in the Field Extractor works OK when directly done in Search:
index=main sourcetype="mapfluence" | head 10000 | rex "(%3D|=)(?P<FIELDNAME>[^=^(%3D)]+)[_.]geom" | top 50 FIELDNAME
Not sure why but the same regex using "(x|y)" that did not work in the Field Extractor works OK when directly done in Search:
index=main sourcetype="mapfluence" | head 10000 | rex "(%3D|=)(?P<FIELDNAME>[^=^(%3D)]+)[_.]geom" | top 50 FIELDNAME
I think it's a bug in the field extractor. It is making an assumption that every regex capturing group has a field name. The rex
search command makes no such assumption.
Sounds like a quirk in the field extractor, assuming that every capturing group has to have a named variable to go with it. A suitable workaround might be:
[|=](?P<FIELDNAME>[a-zA-Z0-9_.]+)[_.]geom