I would like to extract the string before the first period in the field using regex or rex
example: extract ir7utbws001 before the period .Feb-12-2016.043./dev/sdi and likewise in all these
ir7utbws001.Feb-12-2016.043./dev/sdi
ir7mojavs12.Feb-12-2016.043./dev/sda1
Gcase-field-ogs-batch-004-staging.dec-12-2016.043
sb7sdamb002.Feb-12-2016.043./dev/sdn
ebase73-ist-bat-002.Feb-12-2016.043./dev/sda1
ik2itpcp002.Feb-12-2016.043./dev/sda1
ebase-field-ods-batch-003.Feb-12-2016.043./dev/sdi
Leo-batch-001.Feb-12-2016.043./dev/sda1
hey try this run anywhere search
| makeresults
| eval raw="ir7utbws001.Feb-12-2016.043./dev/sdi ir7mojavs12.Feb-12-2016.043./dev/sda1 Gcase-field-ogs-batch-004-staging.dec-12-2016.043 sb7sdamb002.Feb-12-2016.043./dev/sdn"
| makemv raw
| mvexpand raw
| rex field=raw "^(?P<field_name>[^\.]+)"
In your environment you should write
| rex "^(?P<field_name>[^\.]+)"
let me know if this helps!
| rex "^(?<name_of_new_field>.+?)\."
Explanation:
^
Anchor to the beginning of the line.
(?<name_of_new_field> some regular expression )
This is just saying that whatever is in the parenthesis is a named capture group. Whatever you put between the <
and >
is the name of the new field.
.+?
Grab anything .
one or more times +
until ?
...
\.
We find a literal dot \.
- the backslash is to escape its normal meaning as a wildcard character.
Try checking out this link to validate it.
https://regex101.com/r/JvZ4fS/1
Try checking out https://regexone.com/ if you want to learn more about regular expressions.
A vastly more efficient regex (roughly 5 time more efficient) is:
| rex "^(?<name_of_new_field>[^.]*)\."
The reason for the increase in efficiency is making the capture group look for something that is not a period and be greedy ( [^.]*
), not any character and be lazy ( .+?
).
Just curious.
How would this work if in the same example we have
ir7utbws001
as an entry
as there is no 'period' your code would extract this as null. I wanted to extract the whole field if there is no period
So basically what is alternative of
| eval temp=split(URL,".")
| eval Final=mvindex(temp,0)