Solved: How to extract part of a field which has hyphens?

SGL · ‎12-20-2022

Hi,

I wanted to extract the field "login-first" and "delaccount" from result events. Following are 2 sample fields from the results logs.

cf_app_name: AB123-login-first-pr

cf_app_name: CD123-delaccount-pr

Sample query used :

index=preprod source=logmon env="preprod"

Please help me to extract the fields.

Thanks in advance,

SGL

Manasa_401 · ‎12-22-2022

Hello @SGL

I hope the following regex helps you.

| rex field=cf_app_name "(?<new_field>(?<=-).*?(?=-pr))"

If this helps, an upvote would be appreciated.

Thanks,

Manasa

gcusello · ‎12-22-2022

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Manasa_401 · ‎12-22-2022

Hello @SGL

I hope the following regex helps you.

| rex field=cf_app_name "(?<new_field>(?<=-).*?(?=-pr))"

If this helps, an upvote would be appreciated.

Thanks,

Manasa

gcusello · ‎12-21-2022

to help you in field extraction is mandatory to have some sample of your logs to create a regex.

Ciao.

Giuseppe

How to extract part of a field which has hyphens?