- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
extract a field with colon and forward slash and flower braces
Hi Team,
I am looking to extract the last value or last but one or both values from the field which looks like below(eeee fffff or {eeeee}/fffffff:
"field":"aaaaa-bbbbb-cccc:v1.1-d1:ggg:/dddd/{eeeee}/fffffff"
please help me with the regular expression for it. I tried something like rex field=_raw "\"field\":\"././(?\w+)." but it is not working.
regards,
Sreedhar.A
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Guys. I will explore these options
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works over at regex101.com...
"field":"[^{]*{(?<myvalue1>[^}]+)}\/(?<myvalue2>[^"]+)
In a rex command, that will have to be surrounded by quotes and properly escaped, which I believe looks like this...
| rex field=_raw "\"field\":\"[^{]*{(?<myvalue1>[^}]+)}\/(?<myvalue2>[^\"]+)"
Explanation: This regex keys on the word field surrounded in quotes, followed by a colon and another quote. "field":"
After that, it matches and ignores anything that is not an open curly brace, then matches and discards one curly brace. [^{]*{
Now we are at our first field of interest. Match and Grab everything that is not a close-curly-brace, putting it into field myvalue1. (?<myvalue1>[^}]+)
Then match and discard one close curly brace and a slash. }\/
Now we are at our second field of interest. Match and grab everything that is not a close-quote, putting it into field myvalue2. (?<myvalue2>[^"]+)
The above demonstrates a desired efficiency method in regexes - always (whenever possible) make sure that successive elements are mutually exclusive. It is highly efficient to code [^{]+{ -- which translates as "match everything but a left curly, then match one left curly" -- because if there is NO left curly in the source, then we are done, and there is no backtracking. Runaway regexes are usually catastrophic only in the case of an ugly NON-match, as opposed to a match. This way, the non-match is quite graceful in knowing that it has no more work to do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can you please try <yourBasesearch> | rex "(?m).*\/(?<extracted_field>.*\/.*)\""
Sample query in which first 2 lines are generating dummy data.
| makeresults
| eval _raw="\"field\":\"aaaaa-bbbbb-cccc:v1.1-d1:ggg:/dddd/{eeeee}/fffffff\""
| rex "(?m).*\/(?<extracted_field>.*\/.*)\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Especially with regexes, please mark your code with the code button (101 010) or set it on a separate line with at least 4 spaces in front of it, or surround it with grave accents - the key to the left of the 1 on an american keyboard. Any of those will keep the interface from reading the code as HTML and/or deleting it.
