I have a text as following:
Hello OFF anything blah blah & ^ anything - )< OFF anything blo blo & ^ ble - )< OFF anything bli bli & ^ ble - )<
I need to extract all the fields that start with OFF
and end with 2 characters )<
In my case, 3 fields need to be extracted.
I wrote a search, but it's only extracting the first occurrence while I want to extract all the fields
sourcetype=imap OFF | rex field=_raw "OFF (?<myfields>.*?)\)\<"
This should work (use only the rex command segment)
| gentimes start=-1 | eval _raw="Hello OFF anything blah blah & ^ anything - )< OFF anything blo blo & ^ ble - )< OFF anything bli bli & ^ ble - )<" | rex max_match=0 field=_raw "OFF\s(?<field>[^\)]+)" | table field
This should work (use only the rex command segment)
| gentimes start=-1 | eval _raw="Hello OFF anything blah blah & ^ anything - )< OFF anything blo blo & ^ ble - )< OFF anything bli bli & ^ ble - )<" | rex max_match=0 field=_raw "OFF\s(?<field>[^\)]+)" | table field
How about this?
rex "(?ms)(?<=OFF )(?<myFields>.*)(?=\)\>)"
If that doesn't work, try it without (?ms).
You might also have to break the source data into one event per line.
Your regular expression select the field started by OFF and ended with )< into one field but it did not split it into 3 fields , i can't break the source data into one event per line ( its an email while i'm trying to decode )
Did it split the desired fields by spaces but into just one field?
If so we can fix it from there.
Thanks you.
I also try it without ms ( the result is the same, one field was selected as following:
Field started with the first concurrence of OFF and ending with the last occurrence of )>