Hello All,
Having some trouble coming up with a way to extract a file with three random characters and a .jnlp extension from the URI.
Here is what I've attempted to so far. Any assistance would be greatly appreciated.
index=wsa .jnlp | rex field=csurl (?) | regex csurl="\/[a-z0-9]{3}.jnlp$"
I was looking to extract only JNLP files with a three character file name 123.jnlp or abc.jnlp
Thanks
Thanks for the reply. The one question I have is in regards to the new field? Rex field extraction is not one of my strong points yet. Do I just give it a random name?
Thanks
Wasn't that what you required? Give an input and expected output example
but of course, that's what you're searching for.
You could add a | search file_extract=*
at the end, which requires that the field exists, regardless of its value, The field will not be set if the rex does not match.
/k
Gave it a try and this string returns all .jnlp files.
index=wsa cs_url=*.jnlp | rex field=cs_url "(?
Any thoughts
Well. Perhaps not random, but more or less arbitrary. Some hints, though:
- Use underscores instead of hyphens.
- Must not start with a number.
- Pick a name that makes sense.
Remember that you can always change a field extraction later, but...if you do, you'll have to alter all tags
, eventtype
s, saved searches etc that uses the (old) field name.
So if you have another log file that you want to correlate with, it could be a good idea to use the same field name here, e.g. a client ip address could/should always be extracted as clientip
, regardless of generating system.
If you have the field csurl
already defined, something like this should work.
index=wsa csurl=*.jnlp | rex field=csurl "(?<my_new_field>\w{3})\.jnlp$"
If the filename (excluding the extension) is shorter than 3 - the field extraction will fail. If the filename (excluding extension) is longer than 3 - only the last 3 will be extracted into the new field.
/k