Hi,
Can someone help me in writing the regex for following string
20141128082428PAASSUB 00.?9CDPCI8I USER ACTION TITLE 295211P3055E464 01Q0009000054146746SAHEER SHAIK12
20141202054437PBSALAK 00.94_VCT90U Windows security event logs P43833244199105 02P8758878262824579SAI LAKSMII
I need to extract the last string and name it as user. eg: user=SAHEER SHAIK. Also extract the digit "P43833244" and name it as ID.
Please try this:
rex field=_raw (?<ID>Pw{8})w*s(?<First>w+)s(?<Last>w+$) | rex field=First w+d(?<First_Name>w+$) | table ID First_Name Last_Name
Hello
Regex for ID:
P(?<ID>\d{8})
Regex for name:
(?<name>[^\d]*)\d*\s*$
Regards
Hello,
Regex for name is working. Can you pls explain the expression for me.
And Regex for ID is not working. This is capturing first 8 digits of the string.
Thanks
Updated,
The first regex was missing a P
The regex for the name works this way, goes to the end of the event, leaves out of the capturing group any spaces an numbers, and then captures everything backwards until the first digit is found
Regards
Thank you for the explanation. Its clear now.
But ID regex is still not working.
Hello
The regex works for me, only for the second sample event. The first event has also letters, not just digits as you stated it should be:
ID starts with alphabet P followed by 8 digits
This sentence means this regex: P(?<ID>\d{8})
If you want to include also letters, you should give us additional constrains of the surroundind data to make it work for all cases. Maybe you can post additional sample events
Try this:
rex field=_raw (?<ID>P\w{8})\w*\s(?<First>\w+)\s(?<Last>\w+$) | rex field=First \w+\d(?<First_Name>\w+$) | table ID First_Name Last_Name
This should do:
(?<ID>P\d{8})
this is not working Connor..
can you confirm these??
No space between these values and name 01Q0009000054146746SAHEER SHAIK12
Is ID you specified is off alphabet followed by 8 digits out of this P43833244199105
There is no space between 01Q0009000054146746SAHEER SHAIK12
ID starts with alphabet P followed by 8 digits