I have the following field called 'filePath'
I would like to strip off everything in front of the file (called SomeDocument). The common pattern is the "-1-".
I have had no luck with my newbie REX attempts.
Thank you for your help.
This will do it
your base search | rex field=filePath mode=sed "s/(.*)\/(\w+)-1-(.+)$/\1\/\3/g"
your base search | eval filePath=replace(filePath,"(.*)\/(\w+)-1-(.+)","\1\/\3")
Try any of these
| eval filePath=replace(filePath,"(.*)\/([^\/-]+)(\/|-)(.+)","\1/\4") | rex field=filePath mode=sed "s/(.*)\/([^\/-]+)(\/|-)(.+)$/\1\/\4/g"
I did read the question wrong and was trying to retain first portion of the path. Apart from other answers you got, these are additional way to doing the same. Lines before the last line is to generate the sample data.
| gentimes start=-1 | eval filePath="/src/lkfdjgsryj3kt4z57RdC-1-SomeDocument.doc#/src/lkfdjgsryj3kt4z57RdC/SomeDocument.doc#/lkfdjgsryj3kt4z57RdC-1-SomeDocument.doc#/src/temp/lkfdjgsryj3kt4z57RdC-1-SomeDocument.doc" | table filePath | makemv filePath delim="#" | mvexpand filePath | eval orig=filePath | eval filePath1=replace(filePath,"(.*)(\/|-)(\w+\.\w+)$","\3") | rex field=filePath mode=sed "s/(.*)(\/|-)(\w+\.\w+)$/\3/g"
Thank you for the reply. Both work well, however I have to make my question a bit more challenging now.
I am now seeing data come in that is not all the same.
Notice the character before the document is either [/] or [-].
is it possible rex / eval from the end?
For example include everything before and after the [.] but drop everything after [/] or [-] ? the result being
Not quite perfected
other sample data before > after
/src/474702523/xtract/SomeDocument.doc > /src/474702523/Information.doc
/3rBN0S5Z7Cz5dG9K-1-SomeDocument.zip > /1-Information.zip
here is the code I am using by the way, maybe I am jacking something up...
index=main sourcetype=X_cef_syslog eventtype=X | [your code inserted] | stats list(filePath)
Why not? It works with your sample data. Please show the query you're using and we may be able to help get it working.
Based on your latest comment to somesoni2 and assuming a filename is always alphnumeric, this rex command will generate a new field called 'filename' with desired part of filePath.
... | rex field=filePath "(?<=\/|-1-)(?<filename>\w+\.\w+)" | ...
This is what I tried
index=main sourcetype=X_cef_syslog eventtype=X | rex field=filePath "-1-(?<filename>.*)" | stats list(filePath) index=main sourcetype=X_cef_syslog eventtype=X | rex field=filePath "(?<=\/|-1-)(?<filename>\w+\.\w+)" | stats list(filePath)
I am probably not doing something right, the problem is not knowing what to ask you guys, I am sure your code would work in other situations, maybe its my data.
I appreciate your help.