Hi,
i need help to extract word from a string
string
Security agent installation attempted Endpoint: (Not Found)
Security agent intstallation attempted Endpoint: hostname
result
Not Found
hostname
how can i construct a regular expression to extract out what i wanted?
not sure how to remove the ")" at the "Not Found)"
|makeresults | eval string="Security agent installation attempted Endpoint: (Not Found)
Security agent intstallation attempted Endpoint: hostname"
| rex field=string max_match=0 ":\s+\(?(?P<result>.+)"
|table string result
Hi @7ryota,
you could use two regexes like the following:
| rex ":\s+\(*(?<result>.+)"
| rex field=result "^(?<result>[^)]+)"
The first extract the full value and the second deletes the parenthesis when present.
Ciao.
Giuseppe
| rex ":\s+\(*(?<result>[^)]+)"
Hi @ITWhisperer ... i am trying to learn and understand your rex, as i ran it, but it does not fetch the string.. not sure what went wrong.. please suggest.
i used this search:
|makeresults | eval string="Security agent installation attempted Endpoint: (Not Found)
Security agent intstallation attempted Endpoint: hostname"
| rex ":\s+\(*(?<result>[^)]+)"
|table string result
By default, rex operates on the _raw field. Either change your eval so it assigns to _raw rather than string or add field=string to the rex
Sure @ITWhisperer , but, still it found only first match.. the "hostname" was not matched..
You can use rex max_match=0 to get multiple matches