I need to extract the image name from a field, but I'm not getting it using the rex. Can you help me identify what the error is? When testing regex via website regex101 is functional.
index=teste | rex field=_raw "kubernetes_container_image: (?<container>.*)"
app: teste-app
cluster_account: teste-prod
kubernetes_container_image: rw-tested-001
app: teste-app2
cluster_account: teste-homolog
kubernetes_container_image: 1232ds-teste--002
app: teste-app3
cluster_account: teste-prod
kubernetes_container_image: rwteste-003
app: teste-app4
cluster_account: teste-homolog
kubernetes_container_image: teste-001
app: teste-app5
cluster_account: teste-prod
kubernetes_container_image: teste-001
app: teste-app6
cluster_account: teste-homolog
kubernetes_container_image: teste-001
Your title hints at JSON yet your example is not raw JSON. Try putting the double quotes back in
index=teste | rex field=_raw "\"kubernetes_container_image\": \"(?<container>.*)\""