- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I would like to extract data from inside a parenthesis to create a new field
This command for a search works well:
rex field=user_description "((?[^)]*)"
But when a try to configure this inside a query of a dashboard it does not work i guess because some incomptability with xml
The alternative is to extract field in the sourcetype but I am not able to obtain regular expression
Could anyone provide the regex code
Example of the data:
{"userid": 1, "action": "development (project)", "user_description": " Michael Jordan (adm-Jordan)"}
And I would like to obtain: adm-Jordan
Please take into account that other fields can contain information between parenthesis but in my case I would like to obtain data inside parenthesis when first coincidence after user_description appears
Many thanks a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Check this
| makeresults
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}"
| spath path=user_description output=user_description
| rex field=user_description "\((?P<result>[^)]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Check this
| makeresults
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}"
| spath path=user_description output=user_description
| rex field=user_description "\((?P<result>[^)]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vnravikumar ,
The thing is that I need this search to be included in a dashboard and when I write it in the code
I have this error "Unexpected close tags" and it is a problem of the line of rex
The data has to be shown in a dashboard, not simple search.
Yu know what could be the problem?
Thanks
Jaime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to post your XML?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vnravikumar
Yes, here you have
<form>
<label></label>
<fieldset submitButton="false">
<input type="time" token="time_picker" searchWhenChanged="true">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Test</title>
<search>
<query>
| makeresults
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}"
| spath path=user_description output=user_description
| rex field=user_description "\((?P<result>[^)]+)"
| table _time user_description result
</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
What I checked it should be something regarding rex command
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try like
| rex field=user_description "\((?P<result>[^)]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it works @vnravikumar
lots of thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please accept my answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}"
| spath
| rex field=user_description "\((?<description>.*)\)"
spath is useful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi to4kawa,
This is not what i want.
The spath command extracts field and value pairs on structured event data, such as XML and JSON.
What I want to extract is only the data inside the parenthesis related to user_description field
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see, my answer is updated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @to4kawa ,
The thing is that I need this search to be included in a dashboard and when I write it in the code
I have this error "Unexpected close tags" and it is a problem of the line of rex
The data has to be shown in a dashboard, not simple search.
Yu know what could be the problem?
Thanks
Jaime
