https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121592#M32725 <P>I want to extract a pattern from existing field "source" whose value is /abc/Prod/log/p123ot12. I want to extract p123ot12 from this source field and want to put it in new field called job.</P> <P>Need your assistance ASAP. </P> Sun, 24 May 2015 22:00:48 GMT Sourabhv05 2015-05-24T22:00:48Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121592#M32725 <P>I want to extract a pattern from existing field "source" whose value is /abc/Prod/log/p123ot12. I want to extract p123ot12 from this source field and want to put it in new field called job.</P> <P>Need your assistance ASAP. </P> Sun, 24 May 2015 22:00:48 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121592#M32725 Sourabhv05 2015-05-24T22:00:48Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121593#M32726 <P>Hi Sourabhv05,</P> <P>So, you want an answer asap <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> <P>Your regex is pretty easy, you're looking for everything after the last <CODE>/</CODE> so try this:</P> <PRE><CODE>your base search goes here | rex field=source "(?&lt;job&gt;[^\/]*)$" | table job </CODE></PRE> <P>This will extract everything after the last <CODE>/</CODE> and put it in a field called <CODE>job</CODE>.</P> <P>You can test and learn regex over here <A href="https://regex101.com">https://regex101.com</A></P> <P>Hope that helps and was asap enough <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>cheers, MuS</P> Sun, 24 May 2015 22:40:44 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121593#M32726 MuS 2015-05-24T22:40:44Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121594#M32727 <P>Hi Mus,</P> <P>I am getting error while pasting this regex after my search. Error is Error in 'SearchOperator:regex': Usage: regex &lt;field&gt; (=|!=) &lt;regex&gt;. </P> <P>My base search is index = abc host = "xyz" </P> <P>When i have put it like index = abc host = "xyz" |regex field=source "(?&lt;job&gt;[^\/]*)$" | table job it gave me above error. Please help</P> Sun, 24 May 2015 22:46:39 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121594#M32727 Sourabhv05 2015-05-24T22:46:39Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121595#M32728 <P>Well do you have a field called source? Try <CODE>rex</CODE> instead of <CODE>regex</CODE> and if it's still not working try this:</P> <PRE><CODE> index=abc host="xyz" |rex "(?&amp;lt;job&amp;gt;[^/]*)$" | table job </CODE></PRE> Sun, 24 May 2015 22:53:23 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121595#M32728 MuS 2015-05-24T22:53:23Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121596#M32729 <P>thanks alot Mus. It works perfectly. </P> Sun, 24 May 2015 22:58:51 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121596#M32729 Sourabhv05 2015-05-24T22:58:51Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121597#M32730 <P>I need one more help. I have a pattern ABCDEF**** in my logs which are getting indexed on Splunk . I need to put that pattern in an field which i want to display in table along with job, How can i do that ?</P> Sun, 24 May 2015 23:07:35 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121597#M32730 Sourabhv05 2015-05-24T23:07:35Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121598#M32731 <P>Okay, instead of asking for more help; Why don't you read the docs about the <CODE>field extractor</CODE> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/ExtractfieldsinteractivelywithIFX">http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/ExtractfieldsinteractivelywithIFX</A> and learn how to use it. It helps you to get anything out of your events into fields, which then can be used in any further search within the same app. Make your life much easier <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sun, 24 May 2015 23:14:05 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121598#M32731 MuS 2015-05-24T23:14:05Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121599#M32732 <P>Add the field called source to your table..</P> <P>... | table source , myfield1, myfield2, myfieldN</P> Mon, 25 May 2015 03:27:16 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121599#M32732 esix_splunk 2015-05-25T03:27:16Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121600#M32733 <P>Uppsss, my bad. looks like I got the additional question wrong <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 25 May 2015 04:33:59 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extraction-of-Pattern-from-existing-field/m-p/121600#M32733 MuS 2015-05-25T04:33:59Z