Hi i have values in a column like AA(15), ABC(20), ADSF(90).Now i need a regular expression which gives me only values before the Bracket"(".
so i should get AA,ABC,ADSF as my output.
Please help.
try this:
/*source*/ | eval new=replace(Track,"\([0-9]*\)","")| table Track,new
Hi dsiob,
Thanks, it's working fine.
OK, so go back and UpVote
and helpful/correct answer and click Accept
on the correctest one.
try something like this,
source="ABC" sourcetype="csv"|where Level="Lvl3" AND Track="ATL(27)"|rex field=Track mode=sed "s/([^)]*)//"|table "Dom", Track Level
Like this:
| makeresults
| eval Track="ATL(27)"
| eval 'ATL(27)'=Track
| rex field="Track" mode=sed "s/\([^)]*\)//"
| rex field='ATL(27)' mode=sed "s/\([^)]*\)//"
| eval "ATLcopy(27)" = Track
| foreach "*copy(*)" [ rename <<FIELD>> AS "<<MATCHSEG1>>copy" ]
Hi Woodcock,
Can you please let me know what i am doing wrong here.
Basically i want the string value to print when i use it in Table funciton:
So the output should be "AA" when i pass "AA(27)" as input.
Here is my query:
source="ABC" sourcetype="csv"|where Level="Lvl3" and Track="ATL(27)"|rex field="ATL(27)" mode=sed "s/([^)]*)//"|table "Dom","field"
I am not at all clear about what you are trying to do but I have updated my answer with a mockup of 3 different guesses all in one search. One of them should be like what you are trying to do. See the updated answer.
If you want to get rid of the parentheses and the numeric values in them, use something like:
... | rex field=_raw mode=sed "s/\(\d*\)//g"
If you want to do a single field, use the fieldname instead of _raw. The value will be returned without the parenthesis and numbers, leaving the values you want.
Try this.. It will extract out only the AA, ABC, ADSF.. This will create the a field called FIELD_NAME
.. You can change it to whatever name you want
(?<FIELD_NAME>\w+)\(\d+\)