How to extract complete string using regular expre...

Nith1 · ‎06-15-2021

Hi TEam

I have the below data in the logs how can i extract the complete string using regular expression .

4678-business-release-${table.date}-292_(2)
6789-business-release-06102021-292

I have tried using

| rex field=_raw "deploy_release\=(?<Deploy_Release>.[^\n][a-z0-9#][^\n])"

But i could get only the first values (i.e) 4678 and 6789 but not the completed string .Can someone please correct me

Thanks

kamlesh_vaghela · ‎06-15-2021

@Nith1

Can you please share your expected OP from you sample event?

Meanwhile can you please try this?

| rex field=_raw "deploy_release\=(?<Deploy_Release>.[^\n].*)"

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

ITWhisperer · ‎06-15-2021

| rex field=_raw "deploy_release\=(?<Deploy_Release>.*?)"

Can you share the full event as you might be able to do this a different way if the deploy_release field is not the remainder of the line and is delimited by a space for example

| rex field=_raw "deploy_release\=(?<Deploy_Release>[^\s]+)"

How to extract complete string using regular expression

Other

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

DevSecOps: Why You Should Care and How To Get Started