My query fetches ( recipient, time, subject) in table.
However, my requirement is to split incident number ( INC00027697776) from subject and display it in another column named Incident??
Hi
please try the next
...
| rex "(?<wholeInc>INC\d+)"
| rex field=wholeInc "INC(?<incNum>\d+)"
r. Ismo
Hi @priya0709 ,
Can you share an/some example(s) what the subject might look like?
BR
Ralph
Below are 2 Eg of subject Line for which i need to split incident name and display in another column:—-
1. INC000027679570 | <servername> | scom exchange 2k16: Failed to connect to computer
2. Wo# 1197736/ INC00027697776/ please perform hardware diagnostic on <servername>
How to use below query to separate servername which has different names eg:-
WSINI601XASI01
WRDNA502XUSA05
WGBR601XGBR11
from below subject lines:—
1. INC000027679570 | <servername> | scom exchange 2k16: Failed to connect to computer
2. Wo# 1197736/ INC00027697776/ please perform hardware diagnostic on <servername>
Hi @priya0709 ,
Well, there has to be something "unique" to identify them.
Do they always start with a capital "W"?
Is there a min/max length of the string?
Are the subjects where they appear always look the same. You gave 2 examples, are there more possible subjects where they appear?
The following, simple RegEx would work if there are never no other words/strings that start with a capital "W" in the subject and if servername always has "W" as first character:
| rex field=subject "(?<servername>W\S+)"
You could make it more sensitive with adding words/characters that appear around the servername, if that is limited. Or you could specify a min and max length of the servername string.
Hope it helps.
BR
Ralph
--
Karma and/or Solution tagging appreciated.
Hi
please try the next
...
| rex "(?<wholeInc>INC\d+)"
| rex field=wholeInc "INC(?<incNum>\d+)"
r. Ismo
Thank you so much
Thank you for your reply!!
but i want to pull the incident name from subject field??
Hi @priya0709 ,
That's what @isoutamo 's first command does. You can add the field if you like:
| rex field=subject "(?<wholeInc>INC\d+)"
The second command was just to strip the pure number (without "INC) from the whole Incidend ID.
BR
Ralph