Hi
I have following file indexed
I need to capture only the following part from the filename
I am using this regex which is helping to capture only the filename from source i.e.a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg
| rex field=source ".*\/(?<filename>.*)$"
I want to extract after the first dot(.) till 600 number of the filename i.e. zgeypynd.pcsdatei.600 . Please help me with rex expression
Hi @Ashwini008,
It was mentioned indexing before, that is why I put conf files. You can use below rex command;
|rex field=source "\w\+\w\.(?<filename>\w+\.\w+.\d+)\."
Here is an other regex. It uses the time as reference, then skip all until first dot.
\d+:\d+ [^.]+\.(?<file>.*?\d+)\.
Hi @Ashwini008,
It was mentioned indexing before, that is why I put conf files. You can use below rex command;
|rex field=source "\w\+\w\.(?<filename>\w+\.\w+.\d+)\."
@scelikok Thank you . It worked as expected.
Hi @Ashwini008,
You can use below sample props.conf and transforms.conf in your indexers; you may need to play with regex to capture the correct part of filename.
props.conf
[source::///dmd/archivy/*.gpg]
TRANSFORMS-replace_source = replacesourcefilename
transforms.conf
[replacesourcefilename]
SOURCE_KEY = MetaData:Source
REGEX = \w\+\w\.(\w+\.\w+.\d+)\.
DEST_KEY = MetaData:Source
FORMAT= source::$1.gpg
@scelikok Thank you but i am seeking help on regex expression .
@martin_mueller @cpetterborg @somesoni2 @richgalloway could you please suggest?
The following run-anywhere search string uses a rex command which will produce the results you want from the two examples provided:
| makeresults
| eval source="a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg"
| rex field=source "^[^\.]*\.(?<filename>.*\.600)"
The first part ^[^.]*\. is used to get rid of anything before the first .
The rest just captures the file name unto and including the 600.
This is also assuming that the filename is in the source , since what you seems to indicate that, but you can substitute whatever field works.