- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The log contains string in this format below.
name:X_device:Y_
name-U:X1_Y2_
It has a mixed pattern, and I'm wondering how to use wildcard if I do the regex for name and device in a string (inside double quotations) like below?
rex "name *wildcard* (?<name>\w*)_"
rex "device *wildcard* (?<device>\w*)_"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should do it. (runanywhere sample search. Replace everything before rex with your search)
| gentimes start=-1 | eval raw="name:X_device:Y_#name-U:X1_Y2_" | table raw | makemv raw delim="#" | mvexpand raw | rename raw as _raw
|rex "name[^:]*:(?<name>[^_]+)_(device:)*(?<device>[^_]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should do it. (runanywhere sample search. Replace everything before rex with your search)
| gentimes start=-1 | eval raw="name:X_device:Y_#name-U:X1_Y2_" | table raw | makemv raw delim="#" | mvexpand raw | rename raw as _raw
|rex "name[^:]*:(?<name>[^_]+)_(device:)*(?<device>[^_]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! This works!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The concept of "wildcard" is more refined in regex so you just have to use the regex format. If you expect 0 or more repetitions of any character, for example, you would use .* instead if just *.
In regex, * means 0 or more repetition of any character preceding it; in one of your examples, name *wildcard*, the first "*" represents 0 or more white spaces, whereas the second "*" represents 0 or more letter "d". If you want your "wildcard" to represent any character in any repetition, you precede "*" with special character ".", which in regex can represent any singe character.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @limalbert, Please format any search/code/data sample that you post using code button (button with '101010' above the editor) or by pressing Ctrl+K.
In the 2nd example, there is no keyword for device, is that correct or typo? Are you looking for wildcarding the one which I highlighed here: name**:**X and name**-U:**X1 ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @somesoni,
I edited the question.
For the second example for device, there is no keyword, and that's why it's a little bit difficult. I found another alternate to wildcard by using this (?:[^/]+)?. I successfully use this to get name field, but I'm still working on the device since it doesn't have keyword.
rex "name(?:[^/]+)?:(?<name>\w*)_"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try (single rex to extract both)
rex "name[^\:]+\:(?<name>\w+)_(device\:)*(?<device>\w+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, the output for device is actually only "Y". It only give the one with keyword, but it doesn't give the one without keyword.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me understand what you did after name? Specifically this one, [^:]+.
Also, it works to get only the first device, so the only output is device:Y.
