Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract part of the search string?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarit_s
Communicator
05-30-2019
03:39 AM
Hello
I have a source path which from I want to extract 2 parts, each part to a different field
this is the path :
/splunkdev/copyFilesAmerFDM.log
I want to extract "Amer" (can be anything, just always will be after "copyFiles"
and FDM (also can be anything will be always before .log)
this is what i came to but it is not working:
| rex field=source \/splunkdev\/copyFiles(?<Region>\w+)
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martinpu
Communicator
05-30-2019
08:35 AM
Try this:
|rex field=source "\/splunkdev\/copyFiles(?<Region>[A-Z]{2}|[A-Z][a-z]+)(?<Field>[a-zA-Z]*)\.log"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martinpu
Communicator
05-30-2019
08:35 AM
Try this:
|rex field=source "\/splunkdev\/copyFiles(?<Region>[A-Z]{2}|[A-Z][a-z]+)(?<Field>[a-zA-Z]*)\.log"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarit_s
Communicator
05-30-2019
08:59 AM
perfect! thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
koshyk
Super Champion
05-30-2019
06:58 AM
Please try
| rex field=source "\/copyFiles(?<Region>[A-Za-z]+))"
example in https://regex101.com/r/ae5Xyg/1
If you want to Split FDM Part, then
| rex field=source "\/copyFiles(?<Region>[A-Za-z]+)(?<fdmField>FDM).log"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DavidHourani
Super Champion
05-30-2019
03:47 AM
Hi @sarit_s,
Try this one to capture everything and to stop right before the FDM :
| rex field=source "\/copyFiles(?<Region>[A-Z][a-z]+)"
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarit_s
Communicator
05-30-2019
05:45 AM
thanks David
it is catching only Amer, but if i have Region looks li "SA" for example it is not taking it
also, how can i take the FDM part ?
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
.conf25 Global Broadcast: Don’t Miss a Moment
Hello Splunkers,
.conf25 is only a click away.
Not able to make it to .conf25 in person? No worries, you can ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
What's New in Splunk Observability - August 2025
What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...
