Hi,
Another regex problem I'm afraid.....
I've got a very long event with 37 fields where all the fields are quoted and separated by comma. Also there are no key=value pairs.
For the most part my regex works nicely with the event data, but there are occasions where a quote also appears in the actual field data thereby breaking my regex separator character.
Working example (extremely simplified regex and event):
^"(?P<dest_ip>[^"]+)","(?P<dest_port>[^"]+)","(?P<uri>[^"]+)","(?P<request>[^"]+)","(?P<response>[^\n]+)"$
Data:
"192.0.0.20","80","fl=city,name,code,group=true&group.field=city","GET /solr/lpbm/select?fl=city","Logging rate limit reached"
No problem with this, all the fields parse out OK. However, this next event fails - note the additional " in fourth field:-
"192.0.0.20","80","fl=city,name,code,group=true&group.field=city","GET /solr/"lpbm"/select?fl=city","Logging rate limit reached"
This now breaks the [^"]+)"," part of my regex and distorts the field extractions.
Is there a way to do the equivalent of:-
......","(?P<request>[^","]+)",".......
I know that this is invalid, but I don't know what the alternative looks like 😞 !!
Thanks for any help,
Mark.
... View more