FW: [ DOC 45 ] DTP: DEMO XXX CCC | 20147I want to extract number after pie as field name "data". what is the regex?
You can check this and get to know how the data is extracted.https://regex101.com/r/dECVmS/1
Hi Karu, this should work by taking the raw data and only selecting the digits after the pipe character. The space after the pipe is ignored before the digits are placed into a new field named data.
| rex field=_raw "\|\s(?<data>\d*)"
FW: [ DOC 45 ] DTP: DEMO XXX CCC | 20147
I also need to separate [ DOC 45] as category DTP as type
demo xxx ccc as call
as long as the data structure doesn't change too much this should work.
| rex field=_raw ".*\[\s(?<category>.*)\s\]\s(?<type>\w*).*\|\s(?<data>\d*)"
Give this a try
\|(?<data>\d+)
