Re: Could you help me use rex to extract end value...

arrangineni · ‎09-12-2018

I have field values with the below formats and I need to extract the end value extensions like (cjs, js ..,etc) from them and store them in separate fields. Can anyone help me with this? Thanks

sample=/abc/test/ipts/jquery-1.3.1-vsdoc.cjs 
sample=/abc/test/ipts/jquery-1.3.js

ddrillic · ‎09-13-2018

A related recent thread at How do I search to exclude logs with extensions?

osakachan · ‎09-13-2018

Hello,

try this one:

".*\.(?.*)$"

Tested with:
| makeresults |eval lol="/abc/test/ipts/jquery-1.3.1-vsdoc.cjs " | rex field=lol ".*\.(?<foo>.*)$" | table lol,foo

gcusello · ‎09-13-2018

Hi arrangineni,
try something like this:

\.(?<extension>.*)$

if you already extracted the field sample, you could also use the command

| rex field=sample "\.(?<extension>.*)$"

You can test it at https://regex101.com/r/L5vehV/1

Bye.
Giuseppe

kmorris_splunk · ‎09-12-2018

This is probably a bit greedy, but it works in regex101.com:

.*\.(?<extension>[a-z]+)

cpetterborg · ‎09-12-2018

So do you want the js and cjs values from the sample field stored in a separate field (like one named ext) at search time?

Could you help me use rex to extract end value extensions from field values?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Could you help me use rex to extract end value extensions from field values?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!