Splunk Search

Rex for Source

priyankamundarg
Explorer

My source filed has value such as,

/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log

I would like to extract the "LoadABCDEF" from the source.

Similarly

/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source.

can someone help me how to fetch the application name from the source?
| rex field=source "*"

Tags (1)
0 Karma
1 Solution

inventsekar
Ultra Champion

/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log
I would like to extract the "LoadABCDEF" from the source.

the updated query -
| rex field=source "\/(?\w+)_" | table sourceRex
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source(Folder3 may contains an underscore).

| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput   

for learning,

\/ -- for matching(escaping) the first "/"
\w+ --- match any word character(letter, number, or _) ("+" means, one or more match)
{3} ---- match 3 times 
(/Folder1/Folder2/Folder3/ will be matched till this) then, we need create our rex extraction.
?<rexOutput> --- assign rex extraction to this variable.
\w+ ---- the rex is matching for any word character, once or more.
\S+ ---- not white space, once or more

alt text

View solution in original post

0 Karma

haley_swarnapat
Path Finder

To extract /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log Try this:
| rex field=source "(?[A-Za-z]+_[0-9]+).log"
it will only extract the last filename as long as it is written in "alphabet_numeric.log" format

To extract /Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path try this:
| rex field=source "(?[A-Za-z]+_[A-Za-z]+)"
it will extract only the folder with "alphabet_alphabet" format

0 Karma

haley_swarnapat
Path Finder

after the question mark "?", you need to add the or <output> field
I don't know why I can't type those "angle bracket" in the answer like <> or <>

priyankamundarg
Explorer

To extract /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log Try this:
| rex field=source "(?[A-Za-z]+_[0-9]+).log"
it will only extract the last filename as long as it is written in "alphabet_numeric.log" format

This is definitely working. But how to ignore displaying of date format after ""?I want to display only "LoadABCDEF". and ther is one more "" inbetween the path like Folder_3.

0 Karma

haley_swarnapat
Path Finder

To extract "LoadABCDEF" from /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log:

| rex field=source "(\/\w+){5}\/(?<rexOutput>[A-Za-z0-9]+).*" | table rexOutput

To extract "Folder3":
| rex field=source "(\/\w+){2}\/(?<rexOutput>[^\/]+).*" | table rexOutput

It wil work regardless how many symbol you put in folder3 you can test with "F-old(er)_3$%"

0 Karma

inventsekar
Ultra Champion

/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log
I would like to extract the "LoadABCDEF" from the source.

the updated query -
| rex field=source "\/(?\w+)_" | table sourceRex
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source(Folder3 may contains an underscore).

| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput   

for learning,

\/ -- for matching(escaping) the first "/"
\w+ --- match any word character(letter, number, or _) ("+" means, one or more match)
{3} ---- match 3 times 
(/Folder1/Folder2/Folder3/ will be matched till this) then, we need create our rex extraction.
?<rexOutput> --- assign rex extraction to this variable.
\w+ ---- the rex is matching for any word character, once or more.
\S+ ---- not white space, once or more

alt text

0 Karma

priyankamundarg
Explorer

Thank you for the quich response.
For below
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source.
| rex field=source "\/(?\w+_\w+)\/" | table sourceRex

its giving sourceRex value as Folder3. Can u please elaborate how its working?

0 Karma

inventsekar
Ultra Champion

@priyankamundargi, please check this quick ref guide on page 6,
https://www.splunk.com/content/dam/splunk2/pdfs/solution-guides/splunk-quick-reference-guide.pdf

0 Karma

priyankamundarg
Explorer

actually Folder3 is like Folder_3. is it breaking there?

0 Karma

inventsekar
Ultra Champion

exactly, yes, if folder3 is having an underscore, then, please check -

| rex field=source "\/(?\w+\_\w+)\/w+\/" | table sourceRex

priyankamundarg
Explorer

How to ignore "_" in tha path. Few \/(?\w+[0|1]_\w+)\/w+\/ kind is not working. Please help me with that. Because value can be "OrderOnline_ABCD" or "OrderOnlineABCD". the current rex is ignoring "OrderOnlineABCD"

0 Karma

inventsekar
Ultra Champion

Pls try the updated query on the answer..

0 Karma

priyankamundarg
Explorer

I did not get. Can you please send it again?

0 Karma

haley_swarnapat
Path Finder

try this:

| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput

inventsekar
Ultra Champion

+1...
Good one, Haley Swarnapati.

priyankamundarg
Explorer

It worked perfectly. Thank you so much

0 Karma

priyankamundarg
Explorer

How to give 0 or 1 condition for ""? "" may or may not be there in the path.
Like "OrderOnline_ABCD" may have "OrderOnlineABCD" value. this value is gettimg ignored.
[0|1] OR [0,1] doesn't work here? \/(?\w+[0|1]_\w+)\/w+\/ its is not working. Kindly help

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...