Solved: Re: Help writting and fixing a rex query

phamxuantung · ‎08-04-2022

Hello,

I have a raw data that go like this

...
in[ 60: ]<3034>
in[ 62: ]<10>
in[ 62: ]<EC_CARDVER>
...

I want to extract the EC_CARDVER to a field name msg

My rex is

| rex field=_raw "(in)\[ 62: \]\<(?P<msg>)\>"

But it doesn't seem to catch on. How do I write to extract only the EC_CARDVER but not the 10 above it?

yuanliu · ‎08-04-2022

Assuming the difference is the first character must not be numerical, try

| rex "in\[ *\d+: *]<(?<msg>\D[^>]+)"

(You don't need to specify field when using _raw.)

yuanliu · ‎08-04-2022

Assuming the difference is the first character must not be numerical, try

| rex "in\[ *\d+: *]<(?<msg>\D[^>]+)"

(You don't need to specify field when using _raw.)

phamxuantung · ‎08-04-2022

Your query extract a different fields than what I want, because there're many rows that have 'in [ ]' before, so I tweak it a bit

| rex "in\[ *62+: *]<(?<msg>\D[^>]+)"

Then it work just the way I want it to. Thank you

Help writting and fixing a rex query