Hello, I have events with complex/inconsistence data structure. Need to extract field 2 values under 2 different fields. The regex I wrote is not working for all cases. My regex and sample events are given below. Any help will be appreciated. Thank you.
Regex I wrote:
^\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*.\w*.\w*.\w*\|\w*\|(?P<CODE>\d*)\|\w*\|(?P<ERRORMSG>\w*)\| (working only for First and Last events)
Sample events:
4CODEREG|REGT|MEF|IFA|REMOVE||||1234567890|bUnXG_o0PbpgAY2Go6F6jWWh|105.103.110.91|SAAS_BFAF_AUDIT|00|00|||20220419074638|||||<TRANSACTIONDATA><StatusMessage>GTX Key 202210954371398 Removing file: /opt/mef/temp/Attachments/IN//K20220419074627.3410.37570.68836.46248.co1rprdljap1s0l</StatusMessage></TRANSACTIONDATA>
wse083affc-1|TESTCASE|GETTRANS|VIEW_TRANS|VIEWPDF||||670018015|aMTmD8BKoyxOkt7U6MuUIl-2|2600:1700:2ed0:f8ws0:7566:140b:f358:6d20|SAAS_BSAF_AUDIT|01||Exception thrown from TDS on pdf or||20220419091342|202012|30|1|0|1;VENF;
446ODEREG|REGT|MEF|IFA|REMOVE||||1234567890|bUnXG_o0PbpgAY2Go6F6jWWh|104.103.110.90|SAAS_BFAF_AUDIT|01|00|Error||20220419074638|||||<TRANSACTIONDATA><StatusMessage>GTX Key 202210954371398 Removing file: /opt/mef/temp/Attachments/IN//K20220419074627.3410.37570.68836.46248.co1rprdljap1s0l</StatusMessage></TRANSACTIONDATA>
NOTE: First event doesn't have any values for ERRORMSG (High Lights are values)
^[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|(?P<CODE>\d*)\|[^\|]*\|(?P<ERRORMSG>[^\|]*)\|
^[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|(?P<CODE>\d*)\|[^\|]*\|(?P<ERRORMSG>[^\|]*)\|