- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My source filed has value such as,
/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log
I would like to extract the "LoadABCDEF" from the source.
Similarly
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source.
can someone help me how to fetch the application name from the source?
| rex field=source "*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log
I would like to extract the "LoadABCDEF" from the source.
the updated query -
| rex field=source "\/(?
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source(Folder3 may contains an underscore).
| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput
for learning,
\/ -- for matching(escaping) the first "/"
\w+ --- match any word character(letter, number, or _) ("+" means, one or more match)
{3} ---- match 3 times
(/Folder1/Folder2/Folder3/ will be matched till this) then, we need create our rex extraction.
?<rexOutput> --- assign rex extraction to this variable.
\w+ ---- the rex is matching for any word character, once or more.
\S+ ---- not white space, once or more
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/40bcd/40bcd261f1fb9c982ddad869da8a314070ea6406" alt="haley_swarnapat haley_swarnapat"
To extract /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log Try this:
| rex field=source "(?[A-Za-z]+_[0-9]+).log"
it will only extract the last filename as long as it is written in "alphabet_numeric.log" format
To extract /Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path try this:
| rex field=source "(?[A-Za-z]+_[A-Za-z]+)"
it will extract only the folder with "alphabet_alphabet" format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/40bcd/40bcd261f1fb9c982ddad869da8a314070ea6406" alt="haley_swarnapat haley_swarnapat"
after the question mark "?", you need to add the or <output> field
I don't know why I can't type those "angle bracket" in the answer like <> or <>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To extract /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log Try this:
| rex field=source "(?[A-Za-z]+_[0-9]+).log"
it will only extract the last filename as long as it is written in "alphabet_numeric.log" format
This is definitely working. But how to ignore displaying of date format after ""?I want to display only "LoadABCDEF". and ther is one more "" inbetween the path like Folder_3.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/40bcd/40bcd261f1fb9c982ddad869da8a314070ea6406" alt="haley_swarnapat haley_swarnapat"
To extract "LoadABCDEF" from /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log:
| rex field=source "(\/\w+){5}\/(?<rexOutput>[A-Za-z0-9]+).*" | table rexOutput
To extract "Folder3":
| rex field=source "(\/\w+){2}\/(?<rexOutput>[^\/]+).*" | table rexOutput
It wil work regardless how many symbol you put in folder3 you can test with "F-old(er)_3$%"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log
I would like to extract the "LoadABCDEF" from the source.
the updated query -
| rex field=source "\/(?
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source(Folder3 may contains an underscore).
| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput
for learning,
\/ -- for matching(escaping) the first "/"
\w+ --- match any word character(letter, number, or _) ("+" means, one or more match)
{3} ---- match 3 times
(/Folder1/Folder2/Folder3/ will be matched till this) then, we need create our rex extraction.
?<rexOutput> --- assign rex extraction to this variable.
\w+ ---- the rex is matching for any word character, once or more.
\S+ ---- not white space, once or more
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the quich response.
For below
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source.
| rex field=source "\/(?\w+_\w+)\/" | table sourceRex
its giving sourceRex value as Folder3. Can u please elaborate how its working?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
@priyankamundargi, please check this quick ref guide on page 6,
https://www.splunk.com/content/dam/splunk2/pdfs/solution-guides/splunk-quick-reference-guide.pdf
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
actually Folder3 is like Folder_3. is it breaking there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
exactly, yes, if folder3 is having an underscore, then, please check -
| rex field=source "\/(?\w+\_\w+)\/w+\/" | table sourceRex
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to ignore "_" in tha path. Few \/(?\w+[0|1]_\w+)\/w+\/ kind is not working. Please help me with that. Because value can be "OrderOnline_ABCD" or "OrderOnlineABCD". the current rex is ignoring "OrderOnlineABCD"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Pls try the updated query on the answer..
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did not get. Can you please send it again?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/40bcd/40bcd261f1fb9c982ddad869da8a314070ea6406" alt="haley_swarnapat haley_swarnapat"
try this:
| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
+1...
Good one, Haley Swarnapati.
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked perfectly. Thank you so much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to give 0 or 1 condition for ""? "" may or may not be there in the path.
Like "OrderOnline_ABCD" may have "OrderOnlineABCD" value. this value is gettimg ignored.
[0|1] OR [0,1] doesn't work here? \/(?\w+[0|1]_\w+)\/w+\/ its is not working. Kindly help
data:image/s3,"s3://crabby-images/2f34b/2f34b8387157c32fbd6848ab5b6e4c62160b6f87" alt=""