Hi,
I'm new to regex field extraction. I need a regex to capture only specific characters on my event source. I tried .car_(?.+20) but it gives me an output that I don't want:
Nam-Cluster_01_20
Nam-Cluster_02_20
Nam-Cluster_03_201902191052_20
Sample File Path:
 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190557_41794
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902191428_194444
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190754_194346
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190754_194346
 /path1/path2/path3/path4/path5/car_Nam-Cluster_03_201902191052_209807
Needed Output:
car_Nam-Cluster_01
car_Nam-Cluster_02
car_Nam-Cluster_03
Thank you!
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		(?<my_field_name>car_\w+\-Cluster_\d{2})
this matches the exact string "car_somelettershere-Cluster_" (the  \w+ part will match any alpha characters in the middle) and then will capture the next two  {2} digits  \d at the end of the string
also, just in case you haven't used/seen this before: https://regex101.com/
Try this:
.*\/(?P<field>.*\_\d{2})\_.*$
,Try this:
.\/(?P._\d{2})_.*
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		(?<my_field_name>car_\w+\-Cluster_\d{2})
this matches the exact string "car_somelettershere-Cluster_" (the  \w+ part will match any alpha characters in the middle) and then will capture the next two  {2} digits  \d at the end of the string
also, just in case you haven't used/seen this before: https://regex101.com/
Thank you very much! This works for me now. 🙂
Thank you marycordova. This is almost close to what I'm looking for. But if my data changes to something like:
/path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_Nam-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_Asia-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_Asia-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_Asia-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_EMEA-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_EMEA-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_EMEA-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_India-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_India-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_India-Cluster_03_201902190559_41797
it only captures,
car_Nam-Cluster_01
car_Nam-Cluster_02
car_Nam-Cluster_03
but not,
car_Asia-Cluster_01
car_Asia-Cluster_02
car_Asia-Cluster_03
car_EMEA-Cluster_01
car_EMEA-Cluster_02
car_EMEA-Cluster_03
car_India-Cluster_01
car_India-Cluster_02
car_India-Cluster_03
Thank you!
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		@almar_cabato try the new edit
also, if this works, please accept my answer as correct 🙂
It is not the most efficient, but you can use:
|rex field=foo "car_(?<new_field>.+?)_20"
instead. This added ? says to not be greedy.
