Solved: How come my regex field extraction is showing no r...

kudvan · ‎12-26-2018

I have a log data and have a correct regex to extract data, which I confirmed works. However, the named field shows no data.

Sample log line

Dec 25 22:31:03 10.11.38.110 1 2018-12-26T22:27:08.000+01:00 SRV001 Logger1 - - -  [ Category = GrpMgmt ]  [ SOURCE = srv002 ]  [ GROUP_TYPE = Security ]  [ GROUP_SCOPE = dom01 ]  [ PRIVILEGES = - ]  [ ACCOUNT_NAME = Global_GRP ]  [ ACCOUNT_DOMAIN = dom01 ]  [ CALLER_USER_NAME = svcUsr ]  [ CALLER_USER_DOMAIN = dom01 ]  [ MEMBER_NAME = CN=usr001,OU=Users,DC=dom01,DC=org ]  [ EVENT_NUMBER = 4728 ]  [ ATTRIBUTES_OLD_VALUE = null ]

I want to extract the value of Member_Name to a variable e.g. MN, I have the following regex

rex _raw=".* \[ MEMBER_NAME \= (?P.+) \]\s+\[ EVENT_NUMBER"

When I use the above regex, I get the search results. However, the field MN is always empty — any hints that I am missing anything?

Thanks

renjith_nair · ‎12-26-2018

@kudvan ,

Try

|rex field=_raw "MEMBER_NAME\s\=\s(?<MN>.+?)\s]"

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎12-26-2018

@kudvan ,

Try

|rex field=_raw "MEMBER_NAME\s\=\s(?<MN>.+?)\s]"

---
What goes around comes around. If it helps, hit it with Karma 🙂

kudvan · ‎12-26-2018

the regex didn't come correctly, here is the exact regex:
|rex _raw=".* [ MEMBER_NAME = (?P.+) ]\s+[ EVENT_NUMBER"

How come my regex field extraction is showing no results?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!