I would like to extract the string before the first period in the field using regex or rex
example: extract ir7utbws001 before the period .Feb-12-2016.043./dev/sdi and likewise in all these
hey try this run anywhere search
| makeresults | eval raw="ir7utbws001.Feb-12-2016.043./dev/sdi ir7mojavs12.Feb-12-2016.043./dev/sda1 Gcase-field-ogs-batch-004-staging.dec-12-2016.043 sb7sdamb002.Feb-12-2016.043./dev/sdn" | makemv raw | mvexpand raw | rex field=raw "^(?P<field_name>[^\.]+)"
In your environment you should write
| rex "^(?P<field_name>[^\.]+)"
let me know if this helps!
| rex "^(?<name_of_new_field>.+?)\."
Anchor to the beginning of the line.
(?<name_of_new_field> some regular expression )
This is just saying that whatever is in the parenthesis is a named capture group. Whatever you put between the
> is the name of the new field.
. one or more times
We find a literal dot
\. - the backslash is to escape its normal meaning as a wildcard character.
Try checking out this link to validate it.
Try checking out https://regexone.com/ if you want to learn more about regular expressions.
A vastly more efficient regex (roughly 5 time more efficient) is:
| rex "^(?<name_of_new_field>[^.]*)\."
The reason for the increase in efficiency is making the capture group look for something that is not a period and be greedy (
[^.]* ), not any character and be lazy (