Solved: Re: Cut data in field and display results as a cou...

Yy4pb · ‎03-07-2022

Hello

I have a field called hostName which contains hosts:

host1\user1

host1\user2

host2\user2

host3\user3

And I want to basically do a count of the number of times each host appears:

so:

Host1 = 2

Host2 = 1

Host3 = 1

So I want to cut the data after the backslash (\) and display the host part of the data as a count.

I worked out the regex for this is ".+?\\" on Regex 101 but I am not able to figure it out with the rex field commands

Thank you!

gcusello · ‎03-07-2022

Hi @Yy4pb,

please try something like this:

| rex field=your_field "^(?<your_host>[^\\]+)"

Ciao.

Giuseppe

View solution in original post

gcusello · ‎03-07-2022

Hi @Yy4pb,

please try something like this:

| rex field=your_field "^(?<your_host>[^\\]+)"

Ciao.

Giuseppe

Yy4pb · ‎03-07-2022

EDIT: I had to add more backslashes to the Regex

| rex field=your_field "^(?<your_host>[^\\\\]+)"

Thanks!!

_________________

However when I run your command I get an error

Error in 'rex' command: Encountered the following error while compiling the regex '^(?<your_host>[^\]+)': Regex: missing terminating ] for character class.

gcusello · ‎03-08-2022

Hiu @Yy4pb,

you used too many backslashes, the last of tem is considered by Splunk as an escape of ], so the condition in the regex isn't closed.

Try using [^\\] or [^\\\].

Ciao.

Giuseppe

How to cut data in field and display results as a count?

rex

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

How to cut data in field and display results as a count?

rex

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!