Solved: Why would the rex command ignore special character...

skhprabu · ‎02-01-2019

I have my log like

params=All Items | ABC | 2019-01-29 |  |  |  |  |  |  | = |  | = |  |  |  |  |  | ,uri=/api/items

this is my rex field in search

rex field=_raw"params\=(?<parameters>[^=]+)(?=\,uri)"

I expect parameters to save everything between "params=" and ",uri=/api/items"

parameters=All Items | ABC | 2019-01-29 |  |  |  |  |  |  | = |  | = |  |  |  |  |  |

but when i perform search it completel ignores all characters after equals to (=) symbol and shows only

All Items | ABC | 2019-01-29 |  |  |  |  |  |  |

how should i fix my rex to include = as part of my search result

Vijeta · ‎02-01-2019

Use the below rex command

rex field=_raw "params=(?<parameters>.*),uri="

woodcock · ‎02-01-2019

Use this instead:

... | rex "params\=(?<parameters>.+?)(?=\,uri)"

OR

... | rex "params\=(?<parameters>.+)\,uri="

Vijeta · ‎02-01-2019

Use the below rex command

rex field=_raw "params=(?<parameters>.*),uri="

Why would the rex command ignore special characters in a search?