Solved: How to extract content from field using rex?

ivana27 · ‎01-11-2021

Dears,

please help. I have log like this

[Information] PosService AddInfo:[5006] - Stop customer

And i want to show in table message after ":", currently i am using rex like this but i dont have result:

| rex field=_raw "PosService\sAddInfo\:(?<addinfo>\w+|)"

Thank you!

gcusello · ‎01-11-2021

if the code you need to display is only the code between square parenthesis, you could use a regex like this:

| rex "PosService\s+AddInfo:\[(?<addinfo>\d+)"

If instead you need to display all the message until the end of the row, you have to use the following regex:

| rex "PosService\s+AddInfo:(?<addinfo>.+)"

Ciao.

Giuseppe

gcusello · ‎01-11-2021

if the code you need to display is only the code between square parenthesis, you could use a regex like this:

| rex "PosService\s+AddInfo:\[(?<addinfo>\d+)"

If instead you need to display all the message until the end of the row, you have to use the following regex:

| rex "PosService\s+AddInfo:(?<addinfo>.+)"

Ciao.

Giuseppe

General_Talos · ‎01-11-2021

I hope @gcusello answer suffice.

If you want to extract after ":" (and considering whatever before ":") you can also use

":\[(?<addinfo>\d+)]"
OR
":(?<addinfo>.+)"

How to extract content from field using rex?