Hi all,
I have the following events
source_host=lioness1 source_host_description="This is the main server"
source_host=lion source_host_description="This is SQL server"
I need to extract the description, which is all the text between double quotes and assign it to the field description. Would you please help?
At search time, use this rex command:
| rex "\\\"(?<description>[^\\\"]+)"
The same regex should work at index time, just without the escape characters.
At search time, use this rex command:
| rex "\\\"(?<description>[^\\\"]+)"
The same regex should work at index time, just without the escape characters.
Hi @richgalloway - How about in this case?
Where we have multiple lines within double quotes and to be updated in the different field names according to the name we have.
All values has to be in different field names separately which is within double quotes
As the last reply on this thread stated, this question has an accepted answer so it's unlikely to draw more viewers. Please post a new question.
Hi,
looks like we need to espace double quotes, do you advice this log format:
key=value instead of key="value" ? Thanks.
This question has an accepted answer so it's unlikely to draw more viewers. Please post a new question.
thanks, but this could match any string between "". My bad I didn't make it clear enough. I can have other values between double quotes and I want to make sure that this regex only matches the description. so I did something like this
rex "description=\\\"(?<description>[^\\\"]+)"
But it didn't work
Your regex should work, assuming there is no hidden white space in the data. Is source_host_description an extracted field? If so, you can use the original regex against that one field.
| rex field=source_host_description "\\\"(?<description>[^\\\"]+)"
If that doesn't work then it might help if you shared a full (sanitized) raw event.