0

I want to extract "TimesAccesed" from the message field.

Message: PublicDomainAPI.SaveAsync: progresses = [{"UserGuid":"0a062514-def3-4ae5-9092-asd12easd","CourseId":"c71f6538-e379-447e-aaf3-asd1dasd","Status":"InProgress","UserScore":1,"TotalTime":"0:23:45","TimesAccessed":null,"CompletionDate":null,"LastTimeAccessed":"2022-07-23T09:59:12.191+00:00","SuccessStatus":"Pass","Bookmark":"en","SuspendData":null,"Progress":null,"RegistrationDate":"2022-07-23T09:59:12.191+00:00","RegistrationNumber":1}], total: 1

I used | rex field=Message "\"TimesAccessed\"\:\"(?<TimesAccessed>[^\"]+)"

But I am not getting tabulated results because my data has NULL. The same works for other fields like

| rex field=Message "\"TotalTime\"\:\"(?<TotalTime>[^\"]+)" 
| rex field=Message "\"CourseId\"\:\"(?<CourseId>[^\"]+)"
warren
  • 32,620
  • 21
  • 85
  • 124
Nikhil Pundlik
  • 3
  • 1

1 Answers1

1

Checking your regex on regex101 shows that it fails - you're looking to match a literal ", but it's not there for your "null" value

This regular expression is both simpler to read, and pulls what you're looking for (without the extraneous comma):

| rex field=Message "TimesAccessed[[:punct:]]+(?<TimesAccessed>[^\",]+)"

Use the [[:punct:]] character class to match any punctuation between the text you're trying to match

warren
  • 32,620
  • 21
  • 85
  • 124
  • A `rex` command that fails to match will create a field with a null value. null values can be displayed by `table`, but tend to break `stats`. If we know more about the search we can better suggest fixes, but correcting the regex is the place to start. – RichG Jul 26 '22 at 20:08
  • @RichG - the sample data show a string literal of `null` – warren Jul 26 '22 at 20:11
  • Yes, it does, but the given regex fails to find it so the TimesAccessed field will be `null`. – RichG Jul 26 '22 at 20:12
  • @RichG - that's why I fixed the regex :) – warren Jul 26 '22 at 20:32