Hello,
There must be something `rex` specific with my query below since it is not extracting the fields, while the regex works as expected when I test on regex101 (see https://regex101.com/r/g0TMS4/1)
eventtype="my_event_type"
| rex field=responseElements.assumedRoleUser.arn /arn:aws:sts::(?<accountId>\d{12}):assumed_role\/(?<assumedRoled>.*)\/vault-oidc-(?<userId>\w+)-*./
| fields accountId, assumedRole, userId
Sample data that fails to match:
arn:aws:sts::984086324016:assumed-role/foo-admin-app/vault-oidc-foo-admin-app-1687793763-Qen4JHeRXYlB8Eoplkjs
Thanks
Alex.
Firstly, you don't need the / at the beginning and end of the regex string in the rex command, if anything these should be replace with double quotes. Secondly, you have an underscore instead of a hyphen in your regex (assumed-role) which doesn't match with your sample data
| rex field=responseElements.assumedRoleUser.arn "arn:aws:sts::(?<accountId>\d{12}):assumed-role\/(?<assumedRoled>.*)\/vault-oidc-(?<userId>\w+)-*."
Also, you don't have to escape slashes in the regex.
Firstly, you don't need the / at the beginning and end of the regex string in the rex command, if anything these should be replace with double quotes. Secondly, you have an underscore instead of a hyphen in your regex (assumed-role) which doesn't match with your sample data
| rex field=responseElements.assumedRoleUser.arn "arn:aws:sts::(?<accountId>\d{12}):assumed-role\/(?<assumedRoled>.*)\/vault-oidc-(?<userId>\w+)-*."