Solved: How to edit my regular expression to extract a fie...

email2vamsi · ‎12-07-2016

I have the following field value in field script_field.
Test script /name/name/check.sh ran VM Script - xi2v

I want this field to have the value till ran word.
Test script /name/name/check.sh ran should be retained in script_field field. Anything after ran word should be discarded.
The regex should be generic, as the value after ran word keeps on changing.

I am trying to achieve this using the below.
| rex mode=sed field=script_field "s/(ran)//g"

msivill_splunk · ‎12-07-2016

Try this

rex field=script_field "(?<new_field>.*ran)"

Full working example

| makeresults | eval script_field = "Test script /name/name/check.sh ran VM Script - xi2v" | rex field=script_field "(?<new_field>.*ran)"

Or

| makeresults | eval script_field = "Test script /name/name/check.sh ran VM Script - xi2v" | rex field=script_field "(?<script_field>.*ran)"

To over write the existing field

View solution in original post

email2vamsi · ‎12-07-2016

Thank you.
But this is not working for real time search or dashboards.
Works fine for normal searches and dashboards.

lakromani · ‎12-08-2016

You does not post what the problem is, but let me guess this solves it.
https://answers.splunk.com/answers/756/how-can-i-include-greater-less-than-signs-in-a-search-in-my-a...

email2vamsi · ‎12-08-2016

I realized that i should not enter it in Source editor.
I should enter it in search string.
Works for real time as well.

How to edit my regular expression to extract a field value?

Re: How to edit my regular expression to extract a field value?

Re: How to edit my regular expression to extract a field value?

Re: How to edit my regular expression to extract a field value?

Re: How to edit my regular expression to extract a field value?