i want to apply a regular expression to remove unwanted data in a column based on the field.
If field value starts with android, I want to match and remove after 2nd word completely. Vice versa, if word starts with apple, i want to remove after 3 rd words. Please help with this regular expression...
answer needed as below
application_name ==== field after extraction
android gingerbird 4.5======android gingerbird
android orea 3.4=====android orea
android cake 6.7===android cake
apple ios make 6.7==== apple ios make
apple iwatch device 4.5====apple iwatch device
There might be a slicker way of doing this but this works (but not in one combined regex). Everything up to | fields - count generates some test data to work against.
| makeresults count=5
| streamstats count
| eval application_name = CASE ( count==1, "android gingerbird 4.5", count==2, "android orea 3.4", count==3, "android cake 6.7", count==4, "apple ios make 6.7", count==5, "apple iwatch device 4.5")
| fields - count
| rex field=application_name "^(?<make>[^\s]+).*"
| rex field=application_name "^(?<temp_two_fields>[^\s]+\s[^\s]+).*"
| rex field=application_name "^(?<temp_three_fields>[^\s]+\s[^\s]+\s[^\s]+).*"
| eval make_model = CASE ( make=="android", temp_two_fields, make=="apple", temp_three_fields )
| fields - temp_two_fields, temp_three_fields
There might be a slicker way of doing this but this works (but not in one combined regex). Everything up to | fields - count generates some test data to work against.
| makeresults count=5
| streamstats count
| eval application_name = CASE ( count==1, "android gingerbird 4.5", count==2, "android orea 3.4", count==3, "android cake 6.7", count==4, "apple ios make 6.7", count==5, "apple iwatch device 4.5")
| fields - count
| rex field=application_name "^(?<make>[^\s]+).*"
| rex field=application_name "^(?<temp_two_fields>[^\s]+\s[^\s]+).*"
| rex field=application_name "^(?<temp_three_fields>[^\s]+\s[^\s]+\s[^\s]+).*"
| eval make_model = CASE ( make=="android", temp_two_fields, make=="apple", temp_three_fields )
| fields - temp_two_fields, temp_three_fields
Hi, Can you paste some sample events which has this data.
can you try below:-
|rex field=application_name "^(?<application_name >[^\d]+)"
its just a column value.
how can i apply based on field? @sudosplunk
do you want to create new field name/column according to the condition?
OR
change the values/create a new column with changed values?