Hi,
I have the following sample field in my log.
filter=somename89898+20+O
I want to ideally extract 3 fields with + being separator, say:
name = somename89898
count = 20
state = O
However, + can also appear in the name, so I cannot use + to split, but here is what I know:
This will be in reverse (i.e. from last character):
The last character (one single character) of the field will always be an enum say {O or P}.
Previous to that, there will be one separator, and previous to that will be any number of digits.
Previous to that, there will be a separator, and anything that remains prior to that is the name field.
Another example to makes things clear:
filter=somename8+9898+20+O
Here, I want the following result:
name = somename8+9898
count = 20
state = O
Is there a way to achieve this?
Regards,
Aditya
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Edit:
Lisa's answer is better:
filter\=(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$
You bet !
 
					
				
		
This forum may not be the best place to learn regular expressions, but I think this will do what you want
filter\=(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$
The above assumes that there is nothing on the line following the filter string. If you want to use this regular expression in a rex command, it would need to look like this
| rex field=filter "(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$"
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Edit:
Lisa's answer is better:
filter\=(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$
You bet !
Thanks Iguinn.
The following too worked for me -
rex field=filter (?.*)\+(?\d+)\+(?O)
