topic Re: Rex for Source in Splunk Search

Rex for Source

priyankamundarg — Tue, 29 Sep 2020 11:04:23 GMT

My source filed has value such as,

/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log

I would like to extract the "LoadABCDEF" from the source.

Similarly

/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source.

can someone help me how to fetch the application name from the source?
| rex field=source "*"

Re: Rex for Source

inventsekar — Tue, 29 Sep 2020 11:07:28 GMT

/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log
I would like to extract the "LoadABCDEF" from the source.

the updated query -
| rex field=source "\/(?\w+)_" | table sourceRex
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source(Folder3 may contains an underscore).

| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput

for learning,

\/ -- for matching(escaping) the first "/"
\w+ --- match any word character(letter, number, or _) ("+" means, one or more match)
{3} ---- match 3 times 
(/Folder1/Folder2/Folder3/ will be matched till this) then, we need create our rex extraction.
?<rexOutput> --- assign rex extraction to this variable.
\w+ ---- the rex is matching for any word character, once or more.
\S+ ---- not white space, once or more

Re: Rex for Source

haley_swarnapat — Tue, 29 Sep 2020 11:07:30 GMT

To extract /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log Try this:
| rex field=source "(?[A-Za-z]+_[0-9]+).log"
it will only extract the last filename as long as it is written in "alphabet_numeric.log" format

To extract /Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path try this:
| rex field=source "(?[A-Za-z]+_[A-Za-z]+)"
it will extract only the folder with "alphabet_alphabet" format

Re: Rex for Source

haley_swarnapat — Thu, 22 Sep 2016 10:22:59 GMT

after the question mark "?", you need to add the or <output> field
I don't know why I can't type those "angle bracket" in the answer like <> or <>

Re: Rex for Source

priyankamundarg — Tue, 29 Sep 2020 11:04:30 GMT

Thank you for the quich response.
For below
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source.
| rex field=source "\/(?\w+_\w+)\/" | table sourceRex

its giving sourceRex value as Folder3. Can u please elaborate how its working?

Re: Rex for Source

priyankamundarg — Thu, 22 Sep 2016 11:13:18 GMT

actually Folder3 is like Folder_3. is it breaking there?

Re: Rex for Source

inventsekar — Thu, 22 Sep 2016 11:33:10 GMT

exactly, yes, if folder3 is having an underscore, then, please check -

| rex field=source "\/(?\w+\_\w+)\/w+\/" | table sourceRex

Re: Rex for Source

priyankamundarg — Fri, 23 Sep 2016 06:24:06 GMT

How to give 0 or 1 condition for ""? "" may or may not be there in the path.
Like "OrderOnline_ABCD" may have "OrderOnlineABCD" value. this value is gettimg ignored.
[0|1] OR [0,1] doesn't work here? \/(?\w+[0|1]_\w+)\/w+\/ its is not working. Kindly help

Re: Rex for Source

priyankamundarg — Tue, 29 Sep 2020 11:05:05 GMT

How to ignore "_" in tha path. Few \/(?\w+[0|1]_\w+)\/w+\/ kind is not working. Please help me with that. Because value can be "OrderOnline_ABCD" or "OrderOnlineABCD". the current rex is ignoring "OrderOnlineABCD"

Re: Rex for Source

inventsekar — Fri, 23 Sep 2016 06:41:28 GMT

Pls try the updated query on the answer..

Re: Rex for Source

priyankamundarg — Tue, 29 Sep 2020 11:05:08 GMT

This is definitely working. But how to ignore displaying of date format after ""?I want to display only "LoadABCDEF". and ther is one more "" inbetween the path like Folder_3.

Re: Rex for Source

haley_swarnapat — Fri, 23 Sep 2016 06:50:21 GMT

try this:

| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput

Re: Rex for Source

priyankamundarg — Fri, 23 Sep 2016 06:54:14 GMT

I did not get. Can you please send it again?

Re: Rex for Source

priyankamundarg — Fri, 23 Sep 2016 07:12:32 GMT

It worked perfectly. Thank you so much

Re: Rex for Source

inventsekar — Fri, 23 Sep 2016 08:16:34 GMT

+1...
Good one, Haley Swarnapati.

Re: Rex for Source

inventsekar — Fri, 23 Sep 2016 08:18:08 GMT

@priyankamundargi, please check this quick ref guide on page 6,
https://www.splunk.com/content/dam/splunk2/pdfs/solution-guides/splunk-quick-reference-guide.pdf

Re: Rex for Source

haley_swarnapat — Fri, 23 Sep 2016 08:39:47 GMT

To extract "LoadABCDEF" from /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log:

| rex field=source "(\/\w+){5}\/(?<rexOutput>[A-Za-z0-9]+).*" | table rexOutput

To extract "Folder3":
| rex field=source "(\/\w+){2}\/(?<rexOutput>[^\/]+).*" | table rexOutput

It wil work regardless how many symbol you put in folder3 you can test with "F-old(er)_3$%"