Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

How to extract a substring of existing field values into a new field?

chvnc
Explorer
‎06-21-2016 10:58 PM

I want to make a new field with extracted values like Header.txt, LogMessage.xml , JSONHEADER.json (it's from the second `` to the end of the string)

Sample data:

/home/collection/collections/data/TIBCOJNDIQAT4A/export/20/PL-ADMIN-11004.30A5748A69B1:ADF086E40_20160621223510_Header.txt

/home/collection/collections/data/TIBCOJNDIQAT4A/export/20/PL-ADMIN-11004.30A5748A69B1:ADF086E40_20160621223510_LogMessage.xml

/home/collection/collections/data/TIBCOJNDIQAT4A/export/20/PL-ADMIN-11004.30A5748A69B1:ADF086E40_20160621223510_JSON_HEADER.json
0 Karma
Reply
Highlighted

Re: How to extract a substring of existing field values into a new field?

sk314
Builder
‎06-22-2016 11:24 AM

Try this: 

rex field=<your_field> "([A-Za-z0-9]+_){2}(?<extracted_field>[^.]+.[^$\n ]+)"

Disclaimer: This is a lousy regex.Someone will surely swoop in and save the day with an optimal regex.

0 Karma
Reply