FAQ: How do I complete a regex() extraction without filtering data?

LogScale allows you to dynamically create fields using named capture groups. For example, let's say you want to create the field netFlag from certain events, but still pass the results through that don't match. The solution is to add the strict=false flag to the regex() function. This means extract if it matches, but still pass the data through even if it doesn't match in the query.

#event_simpleName=ProcessRollup2 event_platform=Win
| ImageFileName=/\\(whoami|net1?|systeminfo|ping|nltest)\.exe/i
| regex("net1?\s+(?<netFlag>\S+)\s+", field=CommandLine, flags=i, strict=false)

Knowledge Base

FAQ: How do I complete a regex() extraction without filtering data?

Enter search term