Solved: Rex for Source

priyankamundarg · ‎09-22-2016

My source filed has value such as,

/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log

I would like to extract the "LoadABCDEF" from the source.

Similarly

/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source.

can someone help me how to fetch the application name from the source?
| rex field=source "*"

inventsekar · ‎09-22-2016

/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log
I would like to extract the "LoadABCDEF" from the source.

the updated query -
| rex field=source "\/(?\w+)_" | table sourceRex
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source(Folder3 may contains an underscore).

| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput

for learning,

\/ -- for matching(escaping) the first "/"
\w+ --- match any word character(letter, number, or _) ("+" means, one or more match)
{3} ---- match 3 times 
(/Folder1/Folder2/Folder3/ will be matched till this) then, we need create our rex extraction.
?<rexOutput> --- assign rex extraction to this variable.
\w+ ---- the rex is matching for any word character, once or more.
\S+ ---- not white space, once or more

View solution in original post

haley_swarnapat · ‎09-22-2016

To extract /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log Try this:
| rex field=source "(?[A-Za-z]+_[0-9]+).log"
it will only extract the last filename as long as it is written in "alphabet_numeric.log" format

To extract /Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path try this:
| rex field=source "(?[A-Za-z]+_[A-Za-z]+)"
it will extract only the folder with "alphabet_alphabet" format

haley_swarnapat · ‎09-22-2016

after the question mark "?", you need to add the or <output> field
I don't know why I can't type those "angle bracket" in the answer like <> or <>

priyankamundarg · ‎09-22-2016

To extract /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log Try this:
| rex field=source "(?[A-Za-z]+_[0-9]+).log"
it will only extract the last filename as long as it is written in "alphabet_numeric.log" format

This is definitely working. But how to ignore displaying of date format after ""?I want to display only "LoadABCDEF". and ther is one more "" inbetween the path like Folder_3.

haley_swarnapat · ‎09-23-2016

To extract "LoadABCDEF" from /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log:

| rex field=source "(\/\w+){5}\/(?<rexOutput>[A-Za-z0-9]+).*" | table rexOutput

To extract "Folder3":
| rex field=source "(\/\w+){2}\/(?<rexOutput>[^\/]+).*" | table rexOutput

It wil work regardless how many symbol you put in folder3 you can test with "F-old(er)_3$%"

inventsekar · ‎09-22-2016

/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log
I would like to extract the "LoadABCDEF" from the source.

the updated query -
| rex field=source "\/(?\w+)_" | table sourceRex
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source(Folder3 may contains an underscore).

| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput

for learning,

\/ -- for matching(escaping) the first "/"
\w+ --- match any word character(letter, number, or _) ("+" means, one or more match)
{3} ---- match 3 times 
(/Folder1/Folder2/Folder3/ will be matched till this) then, we need create our rex extraction.
?<rexOutput> --- assign rex extraction to this variable.
\w+ ---- the rex is matching for any word character, once or more.
\S+ ---- not white space, once or more

priyankamundarg · ‎09-22-2016

Thank you for the quich response.
For below
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source.
| rex field=source "\/(?\w+_\w+)\/" | table sourceRex

its giving sourceRex value as Folder3. Can u please elaborate how its working?

inventsekar · ‎09-23-2016

@priyankamundargi, please check this quick ref guide on page 6,
https://www.splunk.com/content/dam/splunk2/pdfs/solution-guides/splunk-quick-reference-guide.pdf

priyankamundarg · ‎09-22-2016

actually Folder3 is like Folder_3. is it breaking there?

inventsekar · ‎09-22-2016

exactly, yes, if folder3 is having an underscore, then, please check -

| rex field=source "\/(?\w+\_\w+)\/w+\/" | table sourceRex

priyankamundarg · ‎09-22-2016

How to ignore "_" in tha path. Few \/(?\w+[0|1]_\w+)\/w+\/ kind is not working. Please help me with that. Because value can be "OrderOnline_ABCD" or "OrderOnlineABCD". the current rex is ignoring "OrderOnlineABCD"

inventsekar · ‎09-22-2016

Pls try the updated query on the answer..

priyankamundarg · ‎09-22-2016

I did not get. Can you please send it again?

haley_swarnapat · ‎09-22-2016

try this:

| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput

inventsekar · ‎09-23-2016

+1...
Good one, Haley Swarnapati.

priyankamundarg · ‎09-23-2016

It worked perfectly. Thank you so much

priyankamundarg · ‎09-22-2016

How to give 0 or 1 condition for ""? "" may or may not be there in the path.
Like "OrderOnline_ABCD" may have "OrderOnlineABCD" value. this value is gettimg ignored.
[0|1] OR [0,1] doesn't work here? \/(?\w+[0|1]_\w+)\/w+\/ its is not working. Kindly help

Rex for Source

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024