Solved: Fields Extraction using RegEx

syazwani · ‎09-23-2021

Hi, i want to extract bytes fields (using the bytes values) from this:

Sep 23 14:11:52 XXX.XXX.X.XX date=2021-09-23 time=14:11:52.004 device_id=FE-3KET123 log_id=6716781232 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id="47K0CjSc111111-47K0CjSc111111" msg="to=<XXXXXXXX@hotmail.com>, delay=00:00:04, xdelay=00:00:04, mailer=esmtp, pri=61772, relay=hotmail-com.olc.protection.outlook.com. [XXX.XX.XX.XXX], dsn=2.0.0, stat=Sent (<d97263bhagstbhbhet7c01f54636vfd37@GGP0HSDVVHHA9.XXX.XXX.XXX> [InternalId=32836723661134, Hostname=XXXXXXXXXX.namXXXX.prod.outlook.com] 71422 bytes in 0.303, 229.746 KB/sec Queued mail for delivery -> 250 2.1.5)"

I've already found the regex - (?<bxmt>\d+) bytes
But it didnt seem to work fine.
Can anyone help?

ashvinpandey · ‎09-24-2021

@syazwani Try using the below rex:

| rex field=_raw "InternalId.*\]\s(?<bxmt>\d+?)\sbytes"

Also, If this reply helps you, an upvote would be appreciated.

View solution in original post

ashvinpandey · ‎09-24-2021

@syazwani Try using the below rex:

| rex field=_raw "InternalId.*\]\s(?<bxmt>\d+?)\sbytes"

Also, If this reply helps you, an upvote would be appreciated.

ITWhisperer · ‎09-23-2021

It looks OK - how are you using it?

You could try using \s instead of spaces

\s(?<bxmt>\d+)\sbytes

Fields Extraction using RegEx

regex

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

Fields Extraction using RegEx

regex

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+