Hi All
I am trying to extract the values that trail context, userid, username, groupid
Sample partial event
{ "type": "login","context": "Rsomeserver:8877-T1670321752-P18407-T030-C000025-S38","sequence": 998,"message": { "state": "ok","agent": true,"userid": "User0000000949","loginid": "somelogin101","ownerid": "system","username": "John Smith","cssurl": "[\"/css/somepage.css\",\"/branding/\"]","groupid": "Group0000000945","windows": [ {"name":"something","id":"someid","url":"/someurl//
I started with this approach
"context": "(?<SessionID>[^\"]*)".*?"username"+: "(?<Username>[^\"]*)"
And this seems to compile on regex101 but on rex it's throwing an error
Error in 'SearchParser': Missing a search command before '^'. Error at position '141' of search query 'search index=<removed> ("\"login\"\,\"contex...{snipped} {errorcontext = ?<userid>[^\"]*)"}'.
My aim is to then use this data to join on the context value with another search, but I'm looking for help on where I'm going wrong with my Rex.
As the JSON seems to be truncated, I don't think I can treat it as JSON, so any help with a REX extraction would be greatly appreciated.
... View more