Hello,
I'm attempting to use the regex command to filter out any records on the "user" field that do not match the written expression below:
index=myindex sourcetype=traceability_log4net earliest=-10d
| regex _raw="user=[a-z]{3,6}[a-z1-9]{1,2}"
| table user
Per the expression, there should not be any "user" records that exceed 8 characters. However, the non-matching values are not being filtered out.
"sstevenson6111", for example, should theoretically be listed as "sstevens" per the expression.
I'm sure there's something blindingly obvious that I'm missing! 😳
Your regex is matching against the _raw field. It it looking for a string in the _raw field which could be anywhere in the _raw field matching the expression user=[a-z]{3,6}[a-z1-9]{1,2} , for example:
notuser=abc1@nowhere
user=sstevenson6111
All your examples match this expression
The regex command passes what matches the specified expression. To filter them out, use !=.