Solved: Incorrect Regex

IRHM73 · ‎11-25-2015

Hi, I wonder whether someone may be able to help me please.

I've created this regex \"Surname\\":\\"(?<SName>[^"]+)\\" which extracts the Surname from the following raw data:

"Surname\":\"SMITH\"

This works fine in Regex101, but I when I add this to my query here:

auditSource=tamc auditType=OutboundCall | rex field=_raw "\"Surname\\":\\"(?<SName>[^"]+)\\""

I receive the following error:

Mismatched ']'.

I just wondered whether someone may be able to look at this please and let me know where I've gone wrong.

Many thanks and kind regards

Chris

woodcock · ‎11-25-2015

Like this:

"Surname":"(?<SName>[^"]+)"

And this:

auditSource=tamc auditType=OutboundCall | rex field=_raw "\"Surname\":\"(?<SName>[^\"]+)\""

woodcock · ‎11-25-2015

Like this:

"Surname":"(?<SName>[^"]+)"

And this:

auditSource=tamc auditType=OutboundCall | rex field=_raw "\"Surname\":\"(?<SName>[^\"]+)\""

IRHM73 · ‎11-25-2015

Hi @woodcock thank you for coming back to me with the solution.

Kind regards

Chris

stephanefotso · ‎11-25-2015

Hello try this: auditSource=tamc auditType=OutboundCall | rex field=_raw "\"Surname\":\"(?[^\"]+)\""

SGF

IRHM73 · ‎11-25-2015

Hi thank you for coming back to me with this, but unfortunately I still receive the same error.

I'm able to get past the error using rex field=_raw "\"Surname\":\"(?[^\"]+)\"" but it is not extracting any information.

Kind Regards

Chris

Incorrect Regex