These are some sample of my logs : "07PRIVATE" or "06SAMPLE" OR "08EXAMPLES"
The first two digits are the length of the string which follows the digits. Hence, I need to form the query based on the first field's (2 digits's) value. I tried the following regex:
(?<StringLength>\d{2})(?<MyString>\w{StringLength})
I could clearly see that the above regex is wrong. Please suggest how this can be done.
All the comments for this post helped me to solve the problem, but I had to make few changes in their regex to suit all different combinations. Following is my regex:
(?<StringLength>\d{2})(?<MyString>\w[a-z|A-Z|\s|0-1]*) | eval MyString=substr(MyString,1,StringLength)
The [a-z|A_Z|0-1]*
part will match the string even if it has any spaces in between.
For eg, if my string is "08PRI VATE"
, it will match the "PRI VATE"
in my regex. By not adding the above change, it only matched "PRI"
and stopped whenever any space is there.
Thank you all for your suggestions.
Your use of the pipe symbol inside the square brackets is wrong. You do NOT need the pipe. By placing it in there you are including that character in the set of characters to match.
The \w
before the square brackets may also not be needed, since it is the set of [a-zA-Z0-9_]
characters which would be covered by what you have in the square brackets already.
I'm not trying to be picky about your solution, just trying to help clean it up. 🙂
Does it giving you expected output as I tried this:
|makeresults|eval _raw="07PRI VATE"|rex "(?<StringLength>\d{2})(?<MyString>\w[a-z|A_Z|0-1]*)"| eval MyString=substr(MyString,1,StringLength)
It gives me MyString as only "P"
else try something like this:
|makeresults|eval _raw="07PRI VATE"|rex "(?<StringLength>\d{2})(?<MyString>.*)"| eval MyString=substr(MyString,1,StringLength)
Try this run anywhere search
| makeresults
| eval raw="07PRIVATE,06SAMPLE,08EXAMPLES"
| makemv raw delim=","
| mvexpand raw
| rex field=raw "(?<StringLength>\d{2})(?<MyString>\w+)"
In your environment, you should write
<your_base_Search> | rex field=_raw "(?<StringLength>\d{2})(?<MyString>\w+)"
let me know if this helps!
Hi @Naren26,
Try this:
|rex "(?<StringLength>\d{2})(?<MyString>\w+)"| eval MyString=substr(MyString,1,StringLength)
Try run this anywhere search:
|makeresults|eval _raw="07PRIVATE"|rex "(?<StringLength>\d{2})(?<MyString>\w+)"| eval MyString=substr(MyString,1,StringLength)
The eval part helped me to solve the problem. But it needed a small change which I mentioned in my answer. Thanks @493669 !
I am running into another issue by using eval method. If I have string after MyString
then this will create problems. For eg., If I have the log 07PRIVATEStationSt1256
, how can I get the value "PRIVATE" only.
Because, since we are taking substring in eval, it will extract all the values after 07
and take the substring in eval. Hence, I could not able to extract the string StationSt
and 256
.
Is there any other alternative or we can modify the eval method itself?
as per your question you want to extract the string upto lenght which is specified in mystring
first digits?
so in 07PRIVATEStationSt1256
it will extract only 7 length string which will be PRIVATE
so are you expecting something else?
Yes, I need to extract the string with length based on the digits before that. But as per the following query,
|makeresults|eval _raw="07PRIVATEStationSt1256"|rex "(?\d{2})(?\w+)(?\w+)(?\d{3})"| eval MyString=substr(MyString,1,StringLength)
the modifier MyString
will take "PRIVATEStationSt1256
" and take the substring of length 07
from the original MyString
value. I mean, since the taking the substring after the rex command causes the error. This is wrong.
Because, If the MyString
value extracts "PRIVATEStationSt1256
" , then the value for StationName
and StationId
will be empty.
I hope you understand what is the issue here.
You haven't mentioned any capture group so I dont think your rex will work....
try this:
|makeresults|eval _raw="07PRIVATEStationSt1256"|rex "(?<StringLength>\d{2})(?<MyString>\w+)"| eval MyString=substr(MyString,1,StringLength)
but still unable to get what you are trying to say....if your raw is PRIVATEStationSt1256
then what output you are expecting in MyString
I need the extract the following values:
StringLength = 07
MyString = PRIVATE
StationName = StationSt
StationId = 1256
I have used the following query:
|makeresults|eval _raw="07PRIVATEStationSt1256"|rex "(?<StringLength>\d{2})(?<MyString>\w+)(?<StationName>\w+)(?<StationId>\d{4})" | eval MyString=substr(MyString,1,StringLength)
In the above query, the value MyStrng
will always extracted correctly as expected. But the value StationName
is not correct. Try removing the eval statement and run the above query. You will get to know what is the issue I am talking about.
hey, try this regex:
|makeresults|eval _raw="07PRIVATEStationSt1256"|rex "(?<StringLength>\d{2})(?<MyString>[A-Z,a-z]+)(?<StationId>\d{4})"| eval MyString1=substr(MyString,1,StringLength), StationName=substr(MyString,StringLength+1)
Hi Naren26,
it's not possible to extract a variable number out of a regular expression and use it in it.
Why not give this one a try.
(?<StringLength>\d{2})(?<MyString>\w+)
OR
(?<StringLength>\d{2})(?<MyString>[^\s]+)
after your log what data is present i.e. after "07PRIVATE" what string is present?
Could you please provide sample events