Solved: How to create a field from values with the source ...

vishalduttauk · ‎03-28-2023

I've created fields from regex expressions before but never from the source field.

This is an example of the value within the source field:
\\host0000\Test\IT Information\ Data Files\Daily Reporting\Business Unit\

I would like to extract the business unit value and call it Business Unit.

I have access to create a props.conf file.

Can you help?

Kind regards,

Vishal

vsommer · ‎03-28-2023

Hello Vishal,

is the folder structure always the same? If yes, this should work:

| rex field=source "Daily Reporting\\(?<business_unit>[^\\]+)"

If not you could use this regex:

\\\\[^\\]+\\[^\\]+\\[^\\]+\\[^\\]+\\[^\\]+\\(?<business_unit>[^\\]+)

If you want to include this to props.conf and transforms.conf try something like this:

props.conf

[sourcetype]
REPORT-my_fields = business_unit

transforms.conf

[business_unit]
SOURCE_KEY = source
REGEX = one of the above mentioned regex

If this helps please upvote my answer.

Best regards,

Vincent

vsommer · ‎03-28-2023

Hello Vishal,

is the folder structure always the same? If yes, this should work:

| rex field=source "Daily Reporting\\(?<business_unit>[^\\]+)"

If not you could use this regex:

\\\\[^\\]+\\[^\\]+\\[^\\]+\\[^\\]+\\[^\\]+\\(?<business_unit>[^\\]+)

If you want to include this to props.conf and transforms.conf try something like this:

props.conf

[sourcetype]
REPORT-my_fields = business_unit

transforms.conf

[business_unit]
SOURCE_KEY = source
REGEX = one of the above mentioned regex

If this helps please upvote my answer.

Best regards,

Vincent

gcusello · ‎03-28-2023

if the number ot subfolders in path is fixed you can use this regex in a search:

| rex field=source "\\(\\[^\\]+){5}\\(?<business_unit>[^\\]+)"

if instead you want to use this regex in a field extraction, you can use:

\\(\\[^\\]+){5}\\(?<business_unit>[^\\]+) in source

Ciao.

Giuseppe

How to create a field from values with the source field?