Field Extraction from another field

New Member

Hi All,

We have a email logs , which are getting extracted. However, field name "file" also extracting the Urls. My plan is to extract the new field "url" from field "file" . Under field name "url" (anything which start with http* should be part of this field ) remaining we can create new field called "files".

file= test1.txt , test2.txt ,

New expected output
files=test1.txt , test2.txt

Thanks in advance.

Ultra Champion

Try this (first two lines are just to generate some sample data, replace those with your actual search):

| makeresults 
| eval file= "test1.txt , test2.txt ,";
| eval file = split(file,",")
| eval url = mvjoin(mvfilter(match(file,"^\s*http")),",")
| eval file = mvjoin(mvfilter(NOT match(file,"^\s*http")),",")

You might need to do some cleanup on spaces

And an alternative using rex to extract the urls into the url field and sed to clean up the file field:

| makeresults 
| eval file= " , test1.txt , , test2.txt ,";
| rex field=file max_match=0 "(?<url>http[^,\s]+)"
| eval url = mvjoin(url," , ")
| rex field=file mode=sed "s/ , http[^,\s]+( ,)?/\1/g"
| rex field=file mode=sed "s/^http[^,\s]+( , )?//g"
New Member

try this
...|rex field=file "(?.+[^\,]+)\,(?https.*)"

