Hi,
Regex wimp here...
I need to extract the file name after the word detected fro ma _raw event.
Example of _raw log;
change to a file has been detected /etc/fileinquestion.conf
I've tried the following but it errors;
| rex field=_raw "detected\s*(?*)"
Any helps appreciated. Thanks.
Considering that your message might vary the part before the file name, i think you should use a negative lookahead style, like this
| rex field=_raw "(?=\/)(?P<filename>.*)"
It works, but I'm not sure how!? Would you mind explaining what the (?=\/) achieves?
It says to the regex processor to not capture anything until it finds the /.
It is more agile than assuming the logs always have the word "detected". But it's up to your specific scenario though.
If it suits you, please upvote the answer as it is a valid option
Great. Thanks.
Hi can you try:
| rex field=_raw "detected\s*(?P<filename>.*)"
Worked a treat. Thanks.
Please accept answer if its helpful.. 🙂