Splunk Enterprise Security

i want to write regular expression with the field i have a field called "file_name"

New Member

i have a field name is file_name in that field value is there

ex: file_name= Operating System-Linux-Server-Support-GENVE0001VA.gmail.com.au-GEN-Adm02

in this field i want to display only "GENVE0001VA.gmail.com.au" this value remaining value i dont want please let me know how to write regex in splunk search query

0 Karma

Path Finder

Assuming the naming convention is similar, you could try a capturing group with regex, this will just show the new field value in extracted fields or when specifically querying for the captured group.
Might look something like:

index=myindex sourcetype=myfiles 
| rex field=file_name ".+\-\w+\-\w+\-\w+\-(?<file_name>.+)\-.+"
| stats count by file_name

The regex might be a bit off but the main focus is the capturing group (?.+), this creates a field called file_name where the value would be GENVE0001VA.gmail.com.au.
This can also be predefined in Settings >> Fields >> Field Extractions

0 Karma

SplunkTrust
SplunkTrust

Please explain how to identify the part of file_name to extract.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Legend

Hi @mahendra559,
is there a rule in the name of the field to extract or in the log?
e.g. starts always with GEN or there's always the FQDN, or the field to extract is alwaysthe part of the log between the last two "-".

In this last case try something like this:

index=your_index
| rex field=file_name "^.*-(?<file_name>[^-]*)-\w+-\w+$"
| ...

that you can test at https://regex101.com/r/XZNTeG/1

Ciao.
Giuseppe

0 Karma