Archive

Regex file name after space

Path Finder

Hi,

Regex wimp here...

I need to extract the file name after the word detected fro ma _raw event.

Example of _raw log;

change to a file has been detected /etc/fileinquestion.conf

I've tried the following but it errors;

| rex field=_raw "detected\s*(?*)"

Any helps appreciated. Thanks.

Tags (1)
0 Karma
1 Solution

Champion

Hi can you try:

    | rex field=_raw "detected\s*(?P<filename>.*)"

View solution in original post

Influencer

Considering that your message might vary the part before the file name, i think you should use a negative lookahead style, like this

 | rex field=_raw "(?=\/)(?P<filename>.*)"

Path Finder

It works, but I'm not sure how!? Would you mind explaining what the (?=\/) achieves?

0 Karma

Influencer

It says to the regex processor to not capture anything until it finds the /.

It is more agile than assuming the logs always have the word "detected". But it's up to your specific scenario though.

If it suits you, please upvote the answer as it is a valid option

0 Karma

Path Finder

Great. Thanks.

0 Karma

Champion

Hi can you try:

    | rex field=_raw "detected\s*(?P<filename>.*)"

View solution in original post

Path Finder

Worked a treat. Thanks.

0 Karma

Champion

Please accept answer if its helpful.. 🙂

0 Karma