Hello,
I am attempting to figure out a regex for a transforms.conf for a field named Call Reason
Example data looks like this
A - Call plan question
B - Data plan question
C - Cellular telephone function question
D - Weak call signal
My goal is to transform the Call Reason field to eliminate the first 4 characters (Alpha space - space) of each row so the it shows as
Call plan question
Data plan question
Cellular telephone function question
Weak call signal
Any help is deeply appreciated as I am very weak in REGEX.
Many thanks
You can do this either by using calculated field (in props.conf only) OR transforms.conf both.
Calculated field - props.conf
[yourSourcetype]
EVAL-field=substr(YourFieldName,5)
Transform
props.conf
[yourSourcetype]
REPORT-field = mytransform
transforms.conf
[mytransform]
SOURCE_KEY = YourFieldName
REGEX = ^(.{4})(?<YourFieldName>.+)
To see these regex/function working in search, see this run anywhere sample
| gentimes start=-1 | eval Reason="A - Call plan question." | table Reason| rex field=Reason "^.{4}(?<Field>.+)" | eval Field2=substr(Reason,5)
You can do this either by using calculated field (in props.conf only) OR transforms.conf both.
Calculated field - props.conf
[yourSourcetype]
EVAL-field=substr(YourFieldName,5)
Transform
props.conf
[yourSourcetype]
REPORT-field = mytransform
transforms.conf
[mytransform]
SOURCE_KEY = YourFieldName
REGEX = ^(.{4})(?<YourFieldName>.+)
To see these regex/function working in search, see this run anywhere sample
| gentimes start=-1 | eval Reason="A - Call plan question." | table Reason| rex field=Reason "^.{4}(?<Field>.+)" | eval Field2=substr(Reason,5)
Hey, thanks for the reply, I got called away and will look into this tomorrow morning. Thanks again.
Hey, I ran the anywhere sample and it worked, however, when I put it in the transforms.conf and restarted I got the following:
Checking conf files for problems...
Bad regex value: '^(.{4})(?<Call Reason>.+)', of param: transforms.conf / [trans-callreason] / REGEX; why: syntax error in subpattern name (missing terminator)
in my props.conf:
REPORT-field = trans-callreason
transforms.conf
[trans-callreason]
SOURCE_KEY = "Call Reason"
REGEX = ^(.{4})(?.+)
I'll start looking into this error but please cut in if it's an obvious error on my part.
Thanks.
Call Reason is not showing in this forum when I typed it into the REGEX statement...
But that is what I have between the (?< and the >.+)
Sorry for being confusing...
The extracted field names can't have spaces. So replace space with underscore in REGEX and try again.
Hi,
You are absolutely correct - no spaces. Thanks!