I have ton a couple of events like this:
Mime.stuff.1 = 10
Mime.pop = "blabla"
Basically I want to create a field "MimeProperty" and the require is to begin with a "Mime.". I'm having trouble working with the extractor as I don't fully understand it. Can anyone point me in the right direction ? Thanks in advance
Try this :
index=your_index | rex field=_raw "Mime.*\=\s(|\")(?P<MimeProperty>[^\s|\"]+)"
Let me know if it helps!!
If you get improper output then pls provide some sample events. like there is a confusion of space after "="
in every event.
Try this :
index=your_index | rex field=_raw "Mime.*\=\s(|\")(?P<MimeProperty>[^\s|\"]+)"
Let me know if it helps!!
If you get improper output then pls provide some sample events. like there is a confusion of space after "="
in every event.
@mayurr98 Nice it works plenty! Post as an answer for me to mark it as correct
You are welcome,
i have converted Please accept!
can you please elaborate on more sample events?
also what do you want to extract? 10 and blabla?
Those would be the values yes. I wan't every field that's starts off with Mime