- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract the value before a specific character using regex or rex?
I would like to extract the string before the first period in the field using regex or rex
example: extract ir7utbws001 before the period .Feb-12-2016.043./dev/sdi and likewise in all these
ir7utbws001.Feb-12-2016.043./dev/sdi
ir7mojavs12.Feb-12-2016.043./dev/sda1
Gcase-field-ogs-batch-004-staging.dec-12-2016.043
sb7sdamb002.Feb-12-2016.043./dev/sdn
ebase73-ist-bat-002.Feb-12-2016.043./dev/sda1
ik2itpcp002.Feb-12-2016.043./dev/sda1
ebase-field-ods-batch-003.Feb-12-2016.043./dev/sdi
Leo-batch-001.Feb-12-2016.043./dev/sda1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey try this run anywhere search
| makeresults
| eval raw="ir7utbws001.Feb-12-2016.043./dev/sdi ir7mojavs12.Feb-12-2016.043./dev/sda1 Gcase-field-ogs-batch-004-staging.dec-12-2016.043 sb7sdamb002.Feb-12-2016.043./dev/sdn"
| makemv raw
| mvexpand raw
| rex field=raw "^(?P<field_name>[^\.]+)"
In your environment you should write
| rex "^(?P<field_name>[^\.]+)"
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex "^(?<name_of_new_field>.+?)\."
Explanation:
^
Anchor to the beginning of the line.
(?<name_of_new_field> some regular expression )
This is just saying that whatever is in the parenthesis is a named capture group. Whatever you put between the < and > is the name of the new field.
.+?
Grab anything . one or more times + until ? ...
\.
We find a literal dot \. - the backslash is to escape its normal meaning as a wildcard character.
Try checking out this link to validate it.
https://regex101.com/r/JvZ4fS/1
Try checking out https://regexone.com/ if you want to learn more about regular expressions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A vastly more efficient regex (roughly 5 time more efficient) is:
| rex "^(?<name_of_new_field>[^.]*)\."
The reason for the increase in efficiency is making the capture group look for something that is not a period and be greedy ( [^.]* ), not any character and be lazy ( .+? ).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just curious.
How would this work if in the same example we have
ir7utbws001
as an entry
as there is no 'period' your code would extract this as null. I wanted to extract the whole field if there is no period
So basically what is alternative of
| eval temp=split(URL,".")
| eval Final=mvindex(temp,0)
