Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Extracting the last words from my Logfile
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracting the last words from my Logfile
My logfile has lines like this:
MY_TEST;0;12/12/2014 23:30:14:9000;1;MK69KSS97;TRKCHOP;;4480;EXPORT THE TALISMAN;9;0;0;;Q:\TRKCHOP\POMS\KSKAGNE\IN\STAKK.TXT
i want to extract the the last word that is "STAKK.TXT"
can anybody help me in this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Considering the performance of the regex command I think you should try below run anywhere search as you do not need to go via entire event just to get the last string rather you can directly starts from the last.
| makeresults
| eval _raw="MY_TEST;0;12/12/2014 23:30:14:9000;1;MK69KSS97;TRKCHOP;;4480;EXPORT THE TALISMAN;9;0;0;;Q:\TRKCHOP\POMS\KSKAGNE\IN\STAKK.TXT"
| rex field=_raw "(?<field>[^\\\\]+$)"
In your environment, you should write
<your base search> | rex field=_raw "(?<field>[^\\\\]+$)"
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Mayur
Tried this | rex field=_raw "(?[^\\]+$)" but its not working
Any other suggestions.
Regards,
Pradipta
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As from the run anywhere search it is working for the given event. Can you provide some sample events for which it is not working ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @pradiptam
Assuming your sample event looks like this.
MY_TEST;0;12/12/2014 23:32:14:9000;1;MK69KSS97;TRKCHOP;;4480;EXPORT THE TALISMAN;9;0;0;;Q:\TRKCHOP\POMS\KSKAGNE\IN\STAKK.TXT
MY_TEST;0;12/12/2014 23:31:14:9000;1;MK69KSS97;TRKCHOP;;4480;EXPORT THE TALISMAN;9;0;0;;Q:\TRKCHOP\POMS\KSKAGNE\IN\STAKK.TXT
MY_TEST;0;12/12/2014 23:30:14:9000;1;MK69KSS97;TRKCHOP;;4480;EXPORT THE TALISMAN;9;0;0;;Q:\TRKCHOP\POMS\KSKAGNE\IN\STAKK.TXT
try this search:
your base search | rex field=_raw ".*\\w+\\w+\\w+\\w+(?<your_field_name>\w+\.\w+)"
Hope it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pradiptam,
Please try <yourbasesearch> | rex ".*;*\\\(?<extracted_field>\S+)"
I am running below run anywhere search which is generating new field called extracted_field with value STAKK.TXT (First 2 lines in below query are generating sample data only.
| makeresults
| eval _raw="MY_TEST;0;12/12/2014 23:30:14:9000;1;MK69KSS97;TRKCHOP;;4480;EXPORT THE TALISMAN;9;0;0;;Q:\TRKCHOP\POMS\KSKAGNE\IN\STAKK.TXT"
| rex ".*;*\\\(?<extracted_field>\S+)"
I hope this helps.
Thanks,
Harshil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Harshil
Its works for the line only, how do i include my full logfile to get the desired results
Regards,
Pradipta
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Pradipta,
Can you please provide your full log sample events ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this.
index=your_search |rex "^.*\\\(?P<filename>.*)$"
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Splunk MCP & Agentic AI: Machine Data Without Limits
