Solved: Re: Regex Help

jacqu3sy · ‎03-16-2018

Hi,

I need a regex to extract at search time the values after ACTION[*] and up to the next character, regardless of whether its in quotes or not. So the values "100", or 'alter user blah identified by *' from the following examples;

ACTION:[3] "100" RETURNCODE:[1]
ACTION :[32] 'alter user scott identified by *' DATABASE

Thanks.

tiagofbmm · ‎03-16-2018

Hey

Try this

| rex field=_raw "ACTION\s\:\[\d+\]\s(?<YourFiledName>[\'|\"][^\'|\"]*[\'|\"])"

View solution in original post

tiagofbmm · ‎03-16-2018

Hey

Try this

| rex field=_raw "ACTION\s\:\[\d+\]\s(?<YourFiledName>[\'|\"][^\'|\"]*[\'|\"])"

jacqu3sy · ‎03-16-2018

It nearly worked, extracted out the 'alter user scott identified by *' ok, but I didnt get "100" back as a value...

tiagofbmm · ‎03-16-2018

Yes, I missed a * in the first \s:

 | rex field=_raw "ACTION\s*\:\[\d+\]\s(?<YourFiledName>[\'|\"][^\'|\"]*[\'|\"])"

jacqu3sy · ‎03-16-2018

Awesommmmmmme.

Worked perfectly. Many thanks.

Regex Help

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!