How to extract a substring of existing field values into a new field?

chvnc — Tue, 29 Sep 2020 10:01:31 GMT

I want to make a new field with extracted values like Header.txt, LogMessage.xml , JSON_HEADER.json (it's from the second _ to the end of the string)

Sample data:

/home/collection/collections/data/TIBCOJNDIQAT4A/export/20/PL-ADMIN-11004.30A5748A69B1:ADF086E40_20160621223510_Header.txt

/home/collection/collections/data/TIBCOJNDIQAT4A/export/20/PL-ADMIN-11004.30A5748A69B1:ADF086E40_20160621223510_LogMessage.xml

/home/collection/collections/data/TIBCOJNDIQAT4A/export/20/PL-ADMIN-11004.30A5748A69B1:ADF086E40_20160621223510_JSON_HEADER.json

Re: How to extract a substring of existing field values into a new field?

sk314 — Wed, 22 Jun 2016 18:24:59 GMT

Try this:

rex field=<your_field> "([A-Za-z0-9]+_){2}(?<extracted_field>[^.]+.[^$\n ]+)"

Disclaimer: This is a lousy regex.Someone will surely swoop in and save the day with an optimal regex.

topic How to extract a substring of existing field values into a new field? in Splunk Search

How to extract a substring of existing field values into a new field?

Re: How to extract a substring of existing field values into a new field?