Creating a new field depending on wildcard search

ajdyer2000 · ‎04-14-2022

Hi I know this is probably an easy one but I'm new and need some help.

I have the following Field Called "Account Name"

Account Name

Alan Test Account

Debbie Production Account

John Dev Account

Ed Test Account

I would like to create a new field called Environment that matches Test, Production ,Dev

Account Name Environment

Alan Test Account Test

Debbie Production Account Production

John Dev Account Dev

Ed Test Account Test

PickleRick · ‎04-14-2022

One possible approach:

<your search>
| rex field='Account Name' "\S+\s(?<Environment>\S+)\sAccount"

VatsalJagani · ‎04-15-2022

You can validate that you are extracting the environment field from all the results with the below query:

<your search>
| rex field='Account Name' "\S+\s(?<Environment>\S+)\sAccount"
| search NOT Environment=*
| table "Account Name"

If you see any results that mean those account names are differently formatted than what you provided examples here.

If you have "No results" in this search you are good to go. You can use the solution provided by @PickleRick .