topic Re: Extracting the last words from my Logfile in Getting Data In

Extracting the last words from my Logfile

pradiptam — Mon, 05 Mar 2018 07:08:28 GMT

My logfile has lines like this:

MY_TEST;0;12/12/2014 23:30:14:9000;1;MK69KSS97;TRKCHOP;;4480;EXPORT THE TALISMAN;9;0;0;;Q:\TRKCHOP\POMS\KSKAGNE\IN\STAKK.TXT

i want to extract the the last word that is "STAKK.TXT"

can anybody help me in this?

Re: Extracting the last words from my Logfile

miyamaet — Mon, 05 Mar 2018 08:37:03 GMT

Try this.

index=your_search |rex "^.*\\\(?P<filename>.*)$"

Re: Extracting the last words from my Logfile

harsmarvania57 — Mon, 05 Mar 2018 08:45:46 GMT

Hi @pradiptam,

Please try <yourbasesearch> | rex ".*;*\\\(?<extracted_field>\S+)"

I am running below run anywhere search which is generating new field called extracted_field with value STAKK.TXT (First 2 lines in below query are generating sample data only.

| makeresults
| eval _raw="MY_TEST;0;12/12/2014 23:30:14:9000;1;MK69KSS97;TRKCHOP;;4480;EXPORT THE TALISMAN;9;0;0;;Q:\TRKCHOP\POMS\KSKAGNE\IN\STAKK.TXT"
| rex ".*;*\\\(?<extracted_field>\S+)"

I hope this helps.

Thanks,
Harshil

Re: Extracting the last words from my Logfile

lloydknight — Mon, 05 Mar 2018 09:17:24 GMT

Hello @pradiptam

Assuming your sample event looks like this.

MY_TEST;0;12/12/2014 23:32:14:9000;1;MK69KSS97;TRKCHOP;;4480;EXPORT THE TALISMAN;9;0;0;;Q:\TRKCHOP\POMS\KSKAGNE\IN\STAKK.TXT

MY_TEST;0;12/12/2014 23:31:14:9000;1;MK69KSS97;TRKCHOP;;4480;EXPORT THE TALISMAN;9;0;0;;Q:\TRKCHOP\POMS\KSKAGNE\IN\STAKK.TXT

MY_TEST;0;12/12/2014 23:30:14:9000;1;MK69KSS97;TRKCHOP;;4480;EXPORT THE TALISMAN;9;0;0;;Q:\TRKCHOP\POMS\KSKAGNE\IN\STAKK.TXT

try this search:

your base search | rex field=_raw ".*\\w+\\w+\\w+\\w+(?<your_field_name>\w+\.\w+)"

Hope it helps!

Re: Extracting the last words from my Logfile

mayurr98 — Mon, 05 Mar 2018 09:33:03 GMT

Considering the performance of the regex command I think you should try below run anywhere search as you do not need to go via entire event just to get the last string rather you can directly starts from the last.

| makeresults 
| eval _raw="MY_TEST;0;12/12/2014 23:30:14:9000;1;MK69KSS97;TRKCHOP;;4480;EXPORT THE TALISMAN;9;0;0;;Q:\TRKCHOP\POMS\KSKAGNE\IN\STAKK.TXT" 
| rex field=_raw "(?<field>[^\\\\]+$)"

In your environment, you should write

<your base search> | rex field=_raw "(?<field>[^\\\\]+$)"

let me know if this helps!

Re: Extracting the last words from my Logfile

pradiptam — Tue, 06 Mar 2018 03:11:40 GMT

Thanks Harshil

Its works for the line only, how do i include my full logfile to get the desired results

Regards,
Pradipta

Re: Extracting the last words from my Logfile

pradiptam — Tue, 06 Mar 2018 03:14:31 GMT

Thanks Mayur

Tried this | rex field=_raw "(?[^\\]+$)" but its not working

Any other suggestions.

Regards,

Pradipta

Re: Extracting the last words from my Logfile

mayurr98 — Tue, 06 Mar 2018 03:34:52 GMT

As from the run anywhere search it is working for the given event. Can you provide some sample events for which it is not working ?

Re: Extracting the last words from my Logfile

harsmarvania57 — Tue, 06 Mar 2018 03:38:58 GMT

Hi Pradipta,

Can you please provide your full log sample events ?