topic Re: What is the regular expression to extract substring from a string? in Splunk Search

What is the regular expression to extract substring from a string?

rakeshcse2 — Thu, 16 Feb 2017 20:01:08 GMT

My log source location is : C:\logs\public\test\appname\test.log

I need a regular expression to just extract "appname" from the source location in my search output and then display that as a new column name.

Re: What is the regular expression to extract substring from a string?

somesoni2 — Thu, 16 Feb 2017 20:28:18 GMT

Give this a try

Updated

your current search giving field source which contains full file path
| rex field=source "^([^\\\\]+\\\\)+(?<AppName>[^\\\\]+)\\\\"

Runanywhere sample:

| gentimes start=-1 | eval source="C:\logs\public\test\appname\test.log" | table source | rex field=source "^([^\\\\]+\\\\)+(?<AppName>[^\\\\]+)\\\\"

Re: What is the regular expression to extract substring from a string?

rakeshcse2 — Thu, 16 Feb 2017 20:31:13 GMT

Thank you, but the appname is not constant and it is different for different application.
I need to extract any xyz appname from the source location.

Re: What is the regular expression to extract substring from a string?

somesoni2 — Thu, 16 Feb 2017 20:34:15 GMT

It's capturing whatever string comes as the immediate parent to file name. The 2nd is just an example search to test it.

Re: What is the regular expression to extract substring from a string?

rakeshcse2 — Thu, 16 Feb 2017 20:41:58 GMT

I am using this and its not working:

source=* "error" host="*" | chart count by source | rex field=source "^([^\]+\)+(?[^\]+)\\"

Re: What is the regular expression to extract substring from a string?

somesoni2 — Thu, 16 Feb 2017 20:45:55 GMT

Try with the updated string (needed one additional backslash, 4 at a time)

Re: What is the regular expression to extract substring from a string?

mpreddy — Thu, 16 Feb 2017 21:01:23 GMT

try this:

|stats c |eval _raw="C:\logs\public\test\appname\test.log"|rex field=_raw "\w+.\w+.\w+.(?<appname>\w+)"

Re: What is the regular expression to extract substring from a string?

rakeshcse2 — Thu, 16 Feb 2017 21:04:19 GMT

Sorry, i deleted my last post , that was not clear.

The thing is we just need to change teh regex to include one more / in the source path, that is :

C:\logs\public\test\appname\abcd\test.log
From the top i need to extract appname only.

Re: What is the regular expression to extract substring from a string?

somesoni2 — Thu, 16 Feb 2017 21:06:45 GMT

You need to fix a position for the app name (earliest we assumed it was the last folder before the file name). So can we say it's always the 5th segment from start? If yes, then try this

....| rex field=source "^([^\\\\]+\\\\){4}(?<AppName>[^\\\\]+)\\\\"

Re: What is the regular expression to extract substring from a string?

rakeshcse2 — Thu, 16 Feb 2017 22:23:20 GMT

Thank you very much, that worked.