Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with my regular expression extraction?

swetar
New Member
‎10-11-2018 07:09 PM

Can anyone please suggest to me how I can break this event...

PATH="/user/hive/datastore/xyz.db/file_name1"
PATH="/user/hive/datastore/xyz.db/file_name2"
PATH="/user/hive/datastore/xyz.db/file_name3"

Into this required output:

required output 
file_name1
file_name2
file_name3

Thanks in advance
swetar

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Rob2520
Communicator
‎10-11-2018 07:40 PM

alt text

View solution in original post

Preview file
2 KB
0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎10-11-2018 07:52 PM

hello there,

try this search anywhere:

  | makeresults count=1
    | eval  PATH="\"/user/hive/datastore/xyz.db/file_name1\";\"/user/hive/datastore/xyz.db/file_name2\";\"/user/hive/datastore/xyz.db/file_name3\""
    | makemv PATH delim=";"
    | mvexpand PATH
    | table PATH
    | rename COMMENT as "above generates data, below is your solution"
    | rex field=PATH "\"\/(?<dir_1>[^\/]+)\/(?<dir_2>[^\/]+)\/(?<dir_3>[^\/]+)\/(?<dir_4>[^\/]+)\/(?<file_name>[^\"]+)"

screenshot:
alt text

Preview file
77 KB
0 Karma
Reply
Solved! Jump to solution

swetar
New Member
‎10-15-2018 11:38 PM

Thank you for your reply. I was able to do this ,using the below expression

"\/(?[^\/]+)$"

Many thanks

0 Karma
Reply
Solved! Jump to solution

swetar
New Member
‎10-15-2018 02:24 AM

Thank you for your reply . I tried in this way. But didn't worked. Can you please suggest me,where I am wrong .
sourcetype="XXXXXX"| mvexpand PATH
| table PATH
| rex field=PATH "\"\/(?[^\/]+)\/(?[^\/]+)\/(?[^\/]+)\/(?[^\/]+)\/(?[^\"]+)"

0 Karma
Reply
Solved! Jump to solution
Solution

Rob2520
Communicator
‎10-11-2018 07:40 PM

alt text

Preview file
2 KB
0 Karma
Reply
Solved! Jump to solution

swetar
New Member
‎10-15-2018 11:38 PM

Thank you for your reply. I was able to to do this ,using the below expression

"\/(?[^\/]+)$"

0 Karma
Reply
Solved! Jump to solution

swetar
New Member
‎10-15-2018 02:27 AM

Thank you for your reply . I tried this way but didn't work. I am new to regular expression. Can you please suggest me with complete syntax.

Many thanks
Swetar

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...