Hi guys I'm new to Splunk 🙂
A search I created returns the following in a specific field: /Erginn008/3e2ce24a277ggh9/e709d1a.json
I'm looking to extract the Erginn008
between the first 2 backslashes?
Any help appreciated thanks.
Try this
sourcetype=proxy github.com cs_uri_path!=/ cs_uri_path=* | rex field=cs_uri_path "\/(?<path>[^\/]+?)\/" |
@marktechuk - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post. If no, please leave a comment with more feedback. Thanks.
Try this
sourcetype=proxy github.com cs_uri_path!=/ cs_uri_path=* | rex field=cs_uri_path "\/(?<path>[^\/]+?)\/" |
If following is your data you can use split and mvindex commands in conjunction to split based on backslash and then read first value:
fieldName="/Erginn008/3e2ce24a277ggh9/e709d1a.json"
Your Base Search Here | eval SplitFields=split(fieldName,"/") | eval firstField=mvindex(SplitFields,1)| table fieldName, SplitFields, firstField
As split command splits fieldName to multivalue field SplitFields, you need to call mvindex command to fetch the first value.
You can do it at search time using rex
.
... | rex field=myField "\/(?<newField>[^\/]+)" | ...
Thanks Rich, Tried this but getting an error
sourcetype=proxy github.com cs_uri_path!=/ cs_uri_path="*" |rex cs_uri_path="*" "\/(?[^\/]+)" |
rex doesn't make assignments. The 'field' keyword is literally "field"; replace 'myField' with the name of the field you want to extract from. So your query becomes
sourcetype=proxy github.com cs_uri_path!=/ cs_uri_path="*" |rex field=cs_uri_path "*" "\/(?<newField>[^\/]+)" |