I'm trying to extract to fields from a precalculated field and so far I've trouble with the forward slash character.
My field is formed like this:
I've tried the following : rex field=FieldGloba "(?[a-zA-Z0-9]+)\/(?[a-zA-Z0-9]+)"
So far, it works for a lot of logs but for some, it gave something like:
Do you know how to work with that ?
Thanks for your help !
Same result apparently. I still have the "/" character that seems to be converted as %2F in some logs ...
I guess the raw data itself contains the that forwarder slash converted to %2F. So how about this?
your base search | rex field=FieldGloba "(?<FieldExtracted1>.)(\/|%2F)(?<FieldExtracted1>.+)"
Well at this time, I would ask for sample events (scrub any sensitive information) for both scenarios ( where it's working and where it's not).
I got my problem ...
The logs I was trying to parse was Internet access logs.
I was trying to separate the Mime Type field precalculated which was formed like this:
mt=video/mp4 for example.
My extraction was: rex field=mt "(?[a-zA-Z0-9]+)/\//(?[a-zA-Z0-9]+)"|
And ... I discover that some logs include in the URL the "mime" value ...
So the treatment I was trying to do was also based on this value ...
I've corrected the name of the extracted field and it's working fine ...
Thanks a lot for your help !!!!