Splunk Enterprise Security
Highlighted

i want to write regular expression with the field i have a field called "file_name"

New Member

i have a field name is file_name in that field value is there

ex: file_name= Operating System-Linux-Server-Support-GENVE0001VA.gmail.com.au-GEN-Adm02

in this field i want to display only "GENVE0001VA.gmail.com.au" this value remaining value i dont want please let me know how to write regex in splunk search query

0 Karma
Highlighted

Re: i want to write regular expression with the field i have a field called "file_name"

SplunkTrust
SplunkTrust

Please explain how to identify the part of file_name to extract.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: i want to write regular expression with the field i have a field called "file_name"

Legend

Hi @mahendra559,
is there a rule in the name of the field to extract or in the log?
e.g. starts always with GEN or there's always the FQDN, or the field to extract is alwaysthe part of the log between the last two "-".

In this last case try something like this:

index=your_index
| rex field=file_name "^.*-(?<file_name>[^-]*)-\w+-\w+$"
| ...

that you can test at https://regex101.com/r/XZNTeG/1

Ciao.
Giuseppe

0 Karma
Highlighted

Re: i want to write regular expression with the field i have a field called "file_name"

Path Finder

Assuming the naming convention is similar, you could try a capturing group with regex, this will just show the new field value in extracted fields or when specifically querying for the captured group.
Might look something like:

index=myindex sourcetype=myfiles 
| rex field=file_name ".+\-\w+\-\w+\-\w+\-(?<file_name>.+)\-.+"
| stats count by file_name

The regex might be a bit off but the main focus is the capturing group (?.+), this creates a field called file_name where the value would be GENVE0001VA.gmail.com.au.
This can also be predefined in Settings >> Fields >> Field Extractions

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.