I have a regex that should be extracting the employeeType field from an event. Below is the text of the event and the regex I am using.
Details: Attributes: employeeType Contractor
mysearch | rex "employeeType\n\t\t\t(?<employeeType>\w+)"
We see the extraction work on regxr, but it doesn't seem to extract in the search.
... | rex "employeeType\s*(?<employeeType>\w+)".
Are you sure there are tabs preceding the "employeeType" value? Here's a few suggestions to try:
If there are tabs prior to the employeeType value, this should account for 1 or more tabs in the regex
If these are actually spaces, this should work
In my quick testing on https://regex101.com, I observed the regex did not need the newline token (\n) - so you could try your regex without it
Hope this helps,
The raw value did not have the newline like the event appears to in the search which is why it worked in my testing because I was using the formatting presented with the search. In any case, richgalloway solved my issue. Thanks for replying!