I need to extract a session ID out of events, but the special character is causing me problems.
Example:
Oct 22 08:33:30 192.168.7.251 postfix/smtp[76654]: 67BE5D1332D0A82F:
System: MTA, Source (Reason): None, Action: sent
Oct 22 08:33:30 192.168.7.251 postfix/smtp[76654]: 67BE5D1332D0A82F: to=, delay=0.42, delays=0.41/0/0/0.01, dsn=2.6.0, status=sent (250 2.6.0 Queued mail for delivery)
I want to extract `67BE5D1332D0A82F`.
sourcetype=WatchGuard 67BE5D1332D0A82F | rex field=_raw "Session_ID: (?<\]\:>.\w+)"
The above does not work.
Any help would be appreciated,
Thanks,
John
↧