im trying to capture address, city and state that are in one line but they have ", : and ,
i would like to excluede (Quotes Coma and Colon)
see test example below
12345 noth test Avenue","city":"test","state":"test",
Hi @CyberWolf ,
please try:
<your_search>
| rex "^\"address\":\"(?<address>[^\"]+)\",\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"
| eval address=address." City ".city." state ".state
Ciao.
Giuseppe
thanks but i think i wasn't clear what im trying to do is that all that to be in one field called (?<address>) not separated with city and state
Hi @CyberWolf ,
let me understand, you want only one field, called address containing city and state, is it correct?
in this case, please try this:
<your_search>
| rex ".*\"city\"\:\"(?<city>[^\"]+)\"\,\"state\"\:"(?<test>[^\"]+)"
| eval address=state." ".city
Ciao.
Giuseppe
Creating the regex would be easy enough but it looks like your data is already coming in JSON or XML format. Is there a chance that the fields are already extracted as "city" and "state"? If not then I would recommend revisiting the ingestion props as a best practice. Rather than creating a lot of regex at search time if you had that field extraction during indexing then any changes to data would auto extract new fields.
.*\"city\"\:\"(?<city>[^\"]+)\"\,\"state\"\:"(?<test>[^\"]+)
correct it comes in json and i dont have control of it, but im trying to have is address city and state to be all in the field and ignore coma quotes and :
Hi @CyberWolf ,
if the logs you have, you can use a regex like the following:
| rex "^[^,]+,\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"
that you can test at https://regex101.com/r/ZafgnI/1
I'd be more detailed if you can share a complete log, not onl a part of it.
Ciao.
Giuseppe
example from the raw logs:
"address":"1234 Nothing 2C Avenue","city":"something","state":"RD"
would like to have field name Address
Address
1234 Nothing 2C Avenue City something state RD
all that in one field so ignore the " , and :
What i have
index=something
| rex field=_raw "address\"\:\"(?<address>.*?)\"\,\"
which shows field name:
address
1234 Nothing 2C Avenue","city":"something","state":"RD"
Hi @CyberWolf ,
please try:
<your_search>
| rex "^\"address\":\"(?<address>[^\"]+)\",\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"
| eval address=address." City ".city." state ".state
Ciao.
Giuseppe
Thank you all it worked! (Grazie mile!) YEAHHH
Are you trying to capture the data in a single field or multiple fields? Is this to be done at index time or search time?
all in a single field so i can used later to dc (distinguish count)