Thank you it work,

is possible to do this:

Here is my source column,
/data/product1/customer1/20210628/log.SRV21.20210622.bz2
/data/product2/customer2/20210628/log.dlbranch1.20210628.bz2
...

is it possible to populate these fields from source on dashboard?
servername= SRV21
servername= dlbranch1

product= product1
product= product2

customer= customer1
customer= customer2

@indeed_2000 

Can you please try this?

YOUR_SEARCH_WITH_COLUMN_FIELD
| rex field=source "\/data\/(?<product>\w+)\/(?<customer>\w+)\/.*\/log\.(?<servername>\w+)."
| table source servername product customer

My Sample Search :

| makeresults | eval _raw="source
/data/product1/customer1/20210628/log.SRV21.20210622.bz2
/data/product2/customer2/20210628/log.dlbranch1.20210628.bz2
" | multikv forceheader=1
| rex field=source "\/data\/(?<product>\w+)\/(?<customer>\w+)\/.*\/log\.(?<servername>\w+)."
| table source servername product customer

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
 

Thanks it work

but i want to populate/query it on dashboard and below spl not work, when i add this part “search SRV18” no result return. But when remove this part return all source and servername

| metadata type=sources index="main" earliest=1 | dedup source | rex field=source "\/.*\/log\.(?<servername>\w+)."  | search "SRV18"
| table source servername

any idea?

@indeed_2000 

It should work like this.

| makeresults | eval _raw="source
/data/product1/customer1/20210628/log.SRV21.20210622.bz2
/data/product2/customer2/20210628/log.dlbranch1.20210628.bz2
" | multikv forceheader=1
| rex field=source "\/data\/(?<product>\w+)\/(?<customer>\w+)\/.*\/log\.(?<servername>\w+)."
| table source servername product customer
| search servername="SRV21"

Can you please share source which contain SRV18 as server name ?

KV