Hi,
I'm trying to extract to fields from a precalculated field and so far I've trouble with the forward slash character.
My field is formed like this:
FieldGlobal=Field1/Field2
I've tried the following : rex field=FieldGloba "(?[a-zA-Z0-9]+)\/(?[a-zA-Z0-9]+)"
So far, it works for a lot of logs but for some, it gave something like:
FieldExtracted1=Field1%2fField2
Do you know how to work with that ?
Regards
I got my problem ...
The logs I was trying to parse was Internet access logs.
I was trying to separate the Mime Type field precalculated which was formed like this:
mt=video/mp4 for example.
My extraction was: rex field=mt "(?[a-zA-Z0-9]+)/\//(?[a-zA-Z0-9]+)"|
And ... I discover that some logs include in the URL the "mime" value ...
So the treatment I was trying to do was also based on this value ...
I've corrected the name of the extracted field and it's working fine ...
Thanks a lot for your help !!!!
I got my problem ...
The logs I was trying to parse was Internet access logs.
I was trying to separate the Mime Type field precalculated which was formed like this:
mt=video/mp4 for example.
My extraction was: rex field=mt "(?[a-zA-Z0-9]+)/\//(?[a-zA-Z0-9]+)"|
And ... I discover that some logs include in the URL the "mime" value ...
So the treatment I was trying to do was also based on this value ...
I've corrected the name of the extracted field and it's working fine ...
Thanks a lot for your help !!!!
Glad things are working for you now. You can accept your own answer to make this question as resolved.
Give this a try
your base search | rex field=FieldGloba "(?<FieldExtracted1>[^\/]+)\/(?<FieldExtracted1>.+)"
Thanks for your help !
Same result apparently. I still have the "/" character that seems to be converted as %2F in some logs ...
I guess the raw data itself contains the that forwarder slash converted to %2F. So how about this?
your base search | rex field=FieldGloba "(?<FieldExtracted1>.)(\/|%2F)(?<FieldExtracted1>.+)"
Mmhhh already tried it and it's even worse 🙂
I don't understand why as it should match ...
Well at this time, I would ask for sample events (scrub any sensitive information) for both scenarios ( where it's working and where it's not).