How to write the regex for a calculated field to p...

aelluru · ‎05-12-2016

I have an existing field named source which has a sample format of:

/home/user/script.schema.table.date-time.log

How can I write the regex to parse out schema ? (i.e parse out text between first and second . )
How can I write the regex to parse out table? (i.e parse out text between second and third . )

somesoni2 · ‎05-13-2016

This should do it

In-line in search

...| rex field=source "\/home\/([^\/]+)\/([^\.]+)\.(?<schema>[^\.]+)\.(?<table>[^\.]+)\."

In Props.conf (as calculated field)

[YourSourceType]
EVAL-schema = replace(source,"(\/home\/[^\/]+\/[^\.]+\.)([^\.]+)(\.[^\.]+)(.*)","\2")
EVAL-table= replace(source,"(\/home\/[^\/]+\/[^\.]+\.)([^\.]+)(\.[^\.]+)(.*)","\3")

In props.conf and transforms.conf (as field extraction)

props.conf

[YourSourceType]
TRANSFORMS-getfieldsfromsource = fieldsfromsource

transforms.conf

[fieldsfromsource]
SOURCE_KEY=MetaData:Source
REGEX=\/home\/([^\/]+)\/([^\.]+)\.(?<schema>[^\.]+)\.(?<table>[^\.]+)\.

pgrantham_splun · ‎05-13-2016

I believe something like this should work:

/home/\w+/[^\.]+\.(?<schema>[^\.]+)\.(?<table>[^\.]+)

sundareshr · ‎05-13-2016

This will give you two fields seg1 with schema and seg2 with table

... | rex field=source "[^\.]+\.(?<seg1>[^\.]+)\.(?<seg2>[^\.]+)\.") | table seg1 seg2

How to write the regex for a calculated field to parse out certain text from my source field?

SplunkTrust Application Period is Officially OPEN!

Splunk Answers Content Calendar, June Edition II

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Are you a member of the Splunk Community?

How to write the regex for a calculated field to parse out certain text from my source field?

SplunkTrust Application Period is Officially OPEN!

Splunk Answers Content Calendar, June Edition II

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...