How can we write regex for below?
CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=465000430130063349
Here I want to extract only 0 placed between || just before fileId.
Asked
Active
Viewed 113 times
2
Mads Hansen
- 63,927
- 12
- 112
- 147
supriya
- 21
- 1
- 6
1 Answers
2
In the following regex we have:
- a named capture group called "myField" that grabs a number
(?<myField>\d) - that is in between the
|character, escaped as:\| - followed by an optional space (your example had a space between
|andfileId):\s? - and then the text fileId:
fileId
Putting it all together:
\|(?<myField>\d)\|\s?fileId
So you should be able to apply the regex in Splunk with:
| rex field=_raw "\|(?<myField>\d)\|\s?fileId"
And then use the myField. Obviously, rename to whatever makes sense for you, and target the appropriate field if not _raw
Mads Hansen
- 63,927
- 12
- 112
- 147