Hi,
I am trying to extract name of the individuals from the field that I have in the data. For example from the data below, I want to extract Jack Smith and Joe Shmoe.
Any suggestions on how I can do this ?
Some Text
Some Text
24-Jul-2020 10:52:41 - Jack Smith (Approval history)
Jack Smith approved INT128302 for group **CAB - DEV Tech
Some Text
Some Text
22-Jul-2020 12:56:37 - Joe Shmoe (Approval history)
Joe Shmoe approved INT128302 for group **Dev - DBA Tech group
Some Text
Some Text
Thanks !
Rohan
Try this:
|inputlookup change_task_xx| rex field=approval "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"|table change_request name group
Would this work if names(Jack Smith) and groups(**CAB - DEV Tech) change ?
Actually, I was not very clear in my initial question. So I want to extract name of the person and the group from that field.
So format will remain the same but names and groups will change. Any idea if I can extract based on matching string and then extract text based on spaces in between ? cause format will remain the same in my data.
Thanks ,
Rohan
Are these all separate events or does every event start with a timestamp but can be multi-line?
Does the group name always start with **?
Does every line with name and group always have "approved" and "for group" in?
Are these all separate events or does every event start with a timestamp but can be multi-line?
Every event starts with timestamp, and its multi-line. for every event name and group is buried between some other information that is not relevant for the task.
Does the group name always start with **?
Ya. Always
Does every line with name and group always have "approved" and "for group" in?
Yes. Always. It may have "rejected" as well but I want to extract only one with "approved"
-- your search
| rex "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"
I am trying this command but it doesnt return any results, am i using it wrong ?
|inputlookup change_task_xx| rex "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"|table change_request name group
Output that I am getting:
change_requests name group
1
2
3
name and group information exists in the field(approval) in the lookup .
- Rohan K.
Does your table include the multi-line events as single events or have they been split across multiple events?
Try this:
|inputlookup change_task_xx| rex field=approval "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"|table change_request name group
Thanks a lot !
--- your search
| rex "-\s+(?<name>[^\(]+)"
| eval name=trim(name)