Splunk Search

How to get values after the last /

Laya123
Communicator

Hi,

After using search command I got the following output for XYZ field

/mrIWeb/Images/SE/2.1/lib/qstudio/qcreator/qcore/QWidget.js
/mrIWeb/Images/SE/2.0/source/js/SurveyEngine.js
/mrIWeb/Images/SE/1.7.1/lib/qstudio/qcreator/qcomponent/BtnMatrix.js
/mrIWeb/Images/SE/1.8/lib/qstudio/qcreator/qcomponent/DragnDrop.js

but I dont want my output like this,

I want to display my output like

/mrIWeb/Images/SE/2.1
/mrIWeb/Images/SE/2.0
/mrIWeb/Images/SE/1.7.1
/mrIWeb/Images/SE/1.8

I got answer for this and thank you so much it is working, but i want 2 columns like

/mrIWeb/Images/SE/2.1                                           QWidget.js
/mrIWeb/Images/SE/2.0                                           SurveyEngine.js
/mrIWeb/Images/SE/1.7.1                                         BtnMatrix.js
/mrIWeb/Images/SE/1.8                                           DragnDrop.js

Can you help me in this

Thanks

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Try this as regex:

your base search here | rex "^(.*[\\\/])(?<myLast>.+)" | table myLast

hope this helps ...

cheers, MuS

View solution in original post

Patient
Path Finder

Hello,

Try with this:

... | rex field=XYZ "(?<XYZ_trimmed>\w+);(?<*.js>\w+)"
0 Karma

MuS
SplunkTrust
SplunkTrust

Try this as regex:

your base search here | rex "^(.*[\\\/])(?<myLast>.+)" | table myLast

hope this helps ...

cheers, MuS

Laya123
Communicator

Thank you so much- MuS

0 Karma

Laya123
Communicator

hey I am not geeting accept button to accept it can you tell me how to accept it.

and also if you dont mind can you explain how you have used the rex command rex "^(.*[\\/])(?.+)" means what is meant by '^' and why used 3 '\'. this will help me to do more queries using 'rex'

Thank you

0 Karma

MuS
SplunkTrust
SplunkTrust

No problem I will break it down for you:

^(.*[\/])(?<myLast>.+)

translates into:

^ - matches the beginning of a string
(.*[\/]) - captures a matching group containing any character 0 or more times ending with a /
(?.+) - captures a named group containing any character 1 or more times

I removed the 3 \ because it was actually used before as universal regex for windows and unix path.
You can learn regex on any of the online tester like www.regexr.com or www.regexpal.com

cheers, MuS

Laya123
Communicator

Thank you so much- MuS, Its working

0 Karma

MuS
SplunkTrust
SplunkTrust

you're welcome - but could you please accept the answer that is working - thx 🙂

0 Karma

Laya123
Communicator

Thank you,

I am very new to this splunk tool

I tried using rex command but I am unable to get the results

I want only last portion (which highlighted in bold) from below results which is derived from XYZ field
/mrIWeb/Images/SE/2.1/lib/qstudio/qcreator/qcore/QWidget.js
/mrIWeb/Images/SE/2.0/source/js/SurveyEngine.js
/mrIWeb/Images/SE/1.7.1/lib/qstudio/qcreator/qcomponent/BtnMatrix.js
/mrIWeb/Images/SE/1.8/lib/qstudio/qcreator/qcomponent/DragnDrop.js

please help me to resolve this

Thanks

0 Karma

lukasz92
Communicator

Maybe you need to learn regular expressions?
There is a rex command, which can extract fields you want to have

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...