So, you want an answer asap 😉
Your regex is pretty easy, you're looking for everything after the last
/ so try this:
your base search goes here | rex field=source "(?<job>[^\/]*)$" | table job
This will extract everything after the last
/ and put it in a field called
You can test and learn regex over here https://regex101.com
Hope that helps and was asap enough 😉
I need one more help. I have a pattern ABCDEF**** in my logs which are getting indexed on Splunk . I need to put that pattern in an field which i want to display in table along with job, How can i do that ?
Okay, instead of asking for more help; Why don't you read the docs about the
field extractor http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/ExtractfieldsinteractivelywithIFX and learn how to use it. It helps you to get anything out of your events into fields, which then can be used in any further search within the same app. Make your life much easier 😉
I am getting error while pasting this regex after my search. Error is Error in 'SearchOperator:regex': Usage: regex <field> (=|!=) <regex>.
My base search is index = abc host = "xyz"
When i have put it like index = abc host = "xyz" |regex field=source "(?<job>[^\/]*)$" | table job it gave me above error. Please help