I have a field pluginText field which has plugin paths with multiple values, i want to extract each path
for example in a json event pluginText looks like:
{,..., "pluginText": "<plugin_output>\nNessus detected 8 installs of Microsoft OneDrive:\n\n Path : C:\\Users\\user1\\AppData\\Local\\Microsoft\\OneDrive\\\n Version : 22.238\n\n Path : C:\\Users\\user2\\AppData\\Local\\Microsoft\\OneDrive\\\n Version : 25.140\n\n Path : C:\\Users\\user3\\AppData\\Local\\Microsoft\\OneDrive\\\n Version : 21.180\n\n Path : C:\\Users\\user4\\AppData\\Local\\Microsoft\\OneDrive\\\n Version : 25.65\n\n Path : C:\\Users\\user5\\AppData\\Local\\Microsoft\\OneDrive\\\n Version : 21.220.\n\n Path : C:\\Users\\user6\\AppData\\Local\\Microsoft\\OneDrive\\\n Version : 25.179\n\n Path : C:\\Users\\user7\\AppData\\Local\\Microsoft\\OneDrive\\\n Version : 25.65\n\n Path : C:\\Users\\user8\\AppData\\Local\\Microsoft\\OneDrive\\\n Version : 21.220\n</plugin_output>", "....}
on search page \\n goes to new line, so i have written the following regex, on UI it's working to have multiple values
| rex max_match=15 field=pluginText "Path[\s\:]+(?<plugin_path>.*?)[\n\r]"
but when i tried to extract same with props and transforms using below, the extraction didn't work,
[logsourcetype]
REPORT-new_plugin_path = extracting_plugin_path
[extracting_plugin_path]
REGEX = Path[\s\:]+(?<plugin_path>.*?)[\n\r]
REPEAT_MATCH = true
MV_ADD = true
looking for working props and transforms for this kind of situation, thanks!
