How to extract a field using rex that contains bac...

retro-bloke · ‎12-08-2022

in the raw event there is a line that goes Brand\="xyz"

What's the rex command I can use to extract this in my search?

If possible, I'd like to remove the \ and "" from the extraction itself.

inventsekar · ‎12-08-2022

Hi @retro-bloke ... May i know if you are looking for a rex search query

or..

you want to update the props.conf file for the purpose of field extraction, please confirm, thanks.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

retro-bloke · ‎12-08-2022

Hi @inventsekar, I am looking for a rex search query

inventsekar · ‎12-08-2022

Please check this: (you may need to modify little bit, depending on your logs.. if this does not work, pls give us some sample events)

| makeresults | eval temp="the test event is Brand\=\"xyz\"" 
|rex field=temp "(?P<brand>\w+)\"" 
|table temp brand

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

retro-bloke · ‎12-08-2022

I found that this also works

rex "Brand\\\=\"(?<brand>.*?)\""

the triple quotation marks escape the \, the \" surrounding the () handles the quotation marks in the event itself.

How to extract a field using rex that contains backslash and double quotation marks?