Solved: Re: divide field value to 2 fields

ednk · ‎05-03-2022

Hi

I requested to exclude 2 values from one field value.

I mean for each event I have "file_name", that written in the same shape.

the city is first, and than the tool, so i want to extract these value for each event

file_name	city	tool
montreal - tool3 - SFR - Alert ID 123456 - (3 May 2022 01:20:24 IDT)	montreal	tool3

richgalloway · ‎05-03-2022

I'd use rex.

| rex field=file_name "(?<city>\S+)\s*-\s*(?<tool>\S+)"

The regex may need to be adjusted depending on the expected values for city and tool.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎05-03-2022

I'd use rex.

| rex field=file_name "(?<city>\S+)\s*-\s*(?<tool>\S+)"

The regex may need to be adjusted depending on the expected values for city and tool.

---
If this reply helps you, Karma would be appreciated.

ednk · ‎05-04-2022

thanks!

and how can I extract the time "3 May 2022 01:20:24" ?

richgalloway · ‎05-04-2022

That's easy to do with a separate rex command.

| rex field=file_name "\((?<timestamp>[^\)]+)"

---
If this reply helps you, Karma would be appreciated.

How to divide field value to 2 fields?