Re: How to write the regex for a calculated field ...

aelluru · ‎05-12-2016

I have an existing field named source which has a sample format of:

/home/user/script.schema.table.date-time.log

How can I write the regex to parse out schema ? (i.e parse out text between first and second . )
How can I write the regex to parse out table? (i.e parse out text between second and third . )

somesoni2 · ‎05-13-2016

This should do it

In-line in search

...| rex field=source "\/home\/([^\/]+)\/([^\.]+)\.(?<schema>[^\.]+)\.(?<table>[^\.]+)\."

In Props.conf (as calculated field)

[YourSourceType]
EVAL-schema = replace(source,"(\/home\/[^\/]+\/[^\.]+\.)([^\.]+)(\.[^\.]+)(.*)","\2")
EVAL-table= replace(source,"(\/home\/[^\/]+\/[^\.]+\.)([^\.]+)(\.[^\.]+)(.*)","\3")

In props.conf and transforms.conf (as field extraction)

props.conf

[YourSourceType]
TRANSFORMS-getfieldsfromsource = fieldsfromsource

transforms.conf

[fieldsfromsource]
SOURCE_KEY=MetaData:Source
REGEX=\/home\/([^\/]+)\/([^\.]+)\.(?<schema>[^\.]+)\.(?<table>[^\.]+)\.

pgrantham_splun · ‎05-13-2016

I believe something like this should work:

/home/\w+/[^\.]+\.(?<schema>[^\.]+)\.(?<table>[^\.]+)

sundareshr · ‎05-13-2016

This will give you two fields seg1 with schema and seg2 with table

... | rex field=source "[^\.]+\.(?<seg1>[^\.]+)\.(?<seg2>[^\.]+)\.") | table seg1 seg2

How to write the regex for a calculated field to parse out certain text from my source field?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to write the regex for a calculated field to parse out certain text from my source field?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR