Here is my path:
C:\WebLogs\sample.domain.com\W3SVC1\u_ex191121.log
I would like to grab just the "sample.domain.com" part.
Some of my files are on the E drive and the W3CSVC folders vary, but the sample.domain.com part is always the same format, although it may be sample1.domain2.com (changing, but always a valid url).
It's my source field so I am hoping for something like rex field=source "super regex here".
I really appreciate the help!
 
					
				
		
 
					
				
		
Hi
Try this
| makeresults 
| eval test="C:\WebLogs\sample.domain.com\W3SVC1\u_ex191121.log" 
| eval domain = mvindex(split(test,"\\"),2)
I can not take the time or Regex seems to difficult to master for occasional problems, so I really appreciate the mvindex idea, I will definitely use this, thanks vnravikumar!
Please use '\\' to escape '\'
| rex field=path "^(?:[^\]+\){2}(?[^\]+)"
 
					
				
		
Like this:
... | rex  field=path "^(?:[^\\]+\\){2}(?<domain>[^\\]+)"
I get an error, it doesn't seem to be missing a ] anywhere..?
Error in 'rex' command: Encountered the following error while compiling the regex '^(?:[^]+){2}(?[^]+)': Regex: missing terminating ] for character class.
I added some more backslashes and it worked like a charm! Thanks Woodcock
