Forum Discussion
Need Help With Sentinel Regex
Hi Team,
I am trying to capture this following text & when I write this query in Regex101 it does capture but in Sentinel it is not capturing. I know we need to use "extend" command as well but just wondering how I can use REGEX command in Sentinel or if there is any resource I can follow going forward for Sentinel Regex as I do need to extract multiple data sources. Any help would be appreciated.
ACTUAL TEXT: ACTUAL TEXT: [ TIME_GENERATED = 1634230921 ] [ RECORD_NUMBER = 1957461798 ] [ EVENT_TYPE = 8 ] [ EVENT_TYPE_TEXT = Success ] [ DOMAIN = HOUDOM ]
Query I wrote in REGEX101: \D\sRECORD_NUMBER\s\W\s(\d)+\s\D
If you want to extract multiple columns out from a single string (which I think is what you want to do), you could use the parse command
| parse ACTUALTEXT with * "TIME_GENERATED =" Time "]" *
| parse ACTUALTEXT with * "RECORD_NUMBER =" RecordNumber "]" *
| parse ACTUALTEXT with * "EVENT_TYPE =" EventType "]" *
Should return you three new columns called Time, RecordNumber, EventType
