Re: Using rex to find matching values.

veera9 · ‎08-31-2017

I have the following
ACTION :[7] 'CONNECT'
DATABASE[1] 'SYSTEM'

That's in the _raw data.
How do I extract CONNECT and SYSTEM under headers ACTION and DATABASE?

gcusello · ‎08-31-2017

Hi veera9,
Try this

ACTION\s:\[\d\]\s\'(?<ACTION>[^\']*)\'\s+DATABASE\[\d+\]\s\'(?<DATABASE>[^\']*)\'

Bye.
Giuseppe

DalJeanis · ‎08-31-2017

That would be

 | rex "ACTION\s:\[\d\]\s\'(?<ACTION>[^\']*)\'\s+DATABASE\[\d+\]\s\'(?<DATABASE>[^\']*)\'"

The above works fine. Based on your example breaking across lines, I might go with

 | rex "ACTION\s:\[\d\]\s\'(?<ACTION>[^\']*)\'"
 | rex "DATABASE\[\d+\]\s\'(?<DATABASE>[^\']*)\'"

...or...

 | rex "ACTION\s:\[\d\]\s\'(?<ACTION>[^\']*)\'|DATABASE\[\d+\]\s\'(?<DATABASE>[^\']*)\'" max_match=0

Any of the above should work.

veera9 · ‎09-23-2017

Thank you everyone.

gcusello · ‎09-24-2017

If you're satisfied, please accept or upvote this answer.
Bye.
Giuseppe

Using rex to find matching values.