Hi All,
I have a snippet as below :
requestId="8b749da4-2996-437f-954d-2b679cd3239b" Transaction Id= 1234, Alpha= 56789, Beta= 09876, Code= 999
I want to extract this Code. Please note that "Code" has trailing = with space.
Code
How do I extract this?
try this one
... | rex field=_raw "Code=\s+(?<code>[^\s,]+)" | table code
Try this:
... | rex field=_raw "Code=\s*(?<code>\d+)" | table code
This does not seem to be working. I am getting blank blank values for code
Could you post a sample event in its entirety?
Try replacing \d+ with \w+
