Hi,
I am trying to extract the string after the first space, so for ex. I need to extract:
"02-main-menu" for the first record and "02-world" for the second record below. However, since I can't get the rex work, I thought I just test rex with a simplest format and see what it does, adn sure enough, it seems it doesn't do anything!
| inputlookup bwCustomerTransMovesByFlow_20130213-15.csv | fields move1 | eval c=mvcount(move1) | rex field=move1 "(?<mytest>)"
_time move1 c mytest
2/13/14 5:34:04.000 AM 01-ios 02-main-menu 1
2/13/14 12:51:13.000 AM 01-ios 02-world 1
Just to be sure that the field move1 is not being a multivalue Idid the mvcount(move1) and it returns 1 for all. I also tried doing "nomv move1" which did not make any difference.
The data in the inputlookup is generated as following:
....| | transaction CUSTOMER_KEY connected=t mvlist=t keepevicted=t keeporphans=t | eval move1=mvindex(this_move2,0,1) | .... | makemv delim="," move1 |..... | sort 0 CUSTOMER_KEY | outputlookup bwCustomerTransMovesByFlow_20130213-15.csv
btw, I forgot to take out "makemv delim="," move1", but it didn't do anything anyway I think becasue it did ot insert "," anywhere. Besides, nomv supposedly should undo it.
Apreciate a quick repsonse. I am stuck!
Thanks
Your rex doesn't do anything because you're not telling it to do anything. When you do rex field=move1 "(?<mytest>)"
you're not including anything to capture in your matching group, and so nothing will be captured either.
The simplest form to try out would be a matching group with .+
("read all characters from input", more or less), so in your case you would do:
... | rex field=move1 "(?<mytest>.+)"
Your rex doesn't do anything because you're not telling it to do anything. When you do rex field=move1 "(?<mytest>)"
you're not including anything to capture in your matching group, and so nothing will be captured either.
The simplest form to try out would be a matching group with .+
("read all characters from input", more or less), so in your case you would do:
... | rex field=move1 "(?<mytest>.+)"
Isn't . (dot) mean any character except new line? When I use the above regex for
move1="01-ios 02-main-menu"
it returns "01-ios" for mytest. How does it know that it should stop at the space?
I am trying to come up with the regex that would actually return the part after the last white space (in this ex. "02-main-menu".
Appreciate your help.
It works. Many thanks for your quick response.
Try with this...
rex field=move1 "^(?<mytest>\w+$)"
it doesn't work. it returns null for mytest.