Splunk Search

Rex for Source

priyankamundarg
Explorer

My source filed has value such as,

/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log

I would like to extract the "LoadABCDEF" from the source.

Similarly

/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source.

can someone help me how to fetch the application name from the source?
| rex field=source "*"

Tags (1)
0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust

/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log
I would like to extract the "LoadABCDEF" from the source.

the updated query -
| rex field=source "\/(?\w+)_" | table sourceRex
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source(Folder3 may contains an underscore).

| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput   

for learning,

\/ -- for matching(escaping) the first "/"
\w+ --- match any word character(letter, number, or _) ("+" means, one or more match)
{3} ---- match 3 times 
(/Folder1/Folder2/Folder3/ will be matched till this) then, we need create our rex extraction.
?<rexOutput> --- assign rex extraction to this variable.
\w+ ---- the rex is matching for any word character, once or more.
\S+ ---- not white space, once or more

alt text

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

0 Karma

haley_swarnapat
Path Finder

To extract /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log Try this:
| rex field=source "(?[A-Za-z]+_[0-9]+).log"
it will only extract the last filename as long as it is written in "alphabet_numeric.log" format

To extract /Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path try this:
| rex field=source "(?[A-Za-z]+_[A-Za-z]+)"
it will extract only the folder with "alphabet_alphabet" format

0 Karma

haley_swarnapat
Path Finder

after the question mark "?", you need to add the or <output> field
I don't know why I can't type those "angle bracket" in the answer like <> or <>

priyankamundarg
Explorer

To extract /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log Try this:
| rex field=source "(?[A-Za-z]+_[0-9]+).log"
it will only extract the last filename as long as it is written in "alphabet_numeric.log" format

This is definitely working. But how to ignore displaying of date format after ""?I want to display only "LoadABCDEF". and ther is one more "" inbetween the path like Folder_3.

0 Karma

haley_swarnapat
Path Finder

To extract "LoadABCDEF" from /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log:

| rex field=source "(\/\w+){5}\/(?<rexOutput>[A-Za-z0-9]+).*" | table rexOutput

To extract "Folder3":
| rex field=source "(\/\w+){2}\/(?<rexOutput>[^\/]+).*" | table rexOutput

It wil work regardless how many symbol you put in folder3 you can test with "F-old(er)_3$%"

0 Karma

inventsekar
SplunkTrust
SplunkTrust

/Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log
I would like to extract the "LoadABCDEF" from the source.

the updated query -
| rex field=source "\/(?\w+)_" | table sourceRex
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source(Folder3 may contains an underscore).

| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput   

for learning,

\/ -- for matching(escaping) the first "/"
\w+ --- match any word character(letter, number, or _) ("+" means, one or more match)
{3} ---- match 3 times 
(/Folder1/Folder2/Folder3/ will be matched till this) then, we need create our rex extraction.
?<rexOutput> --- assign rex extraction to this variable.
\w+ ---- the rex is matching for any word character, once or more.
\S+ ---- not white space, once or more

alt text

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

priyankamundarg
Explorer

Thank you for the quich response.
For below
/Folder1/Folder2/Folder3/OrderOnline_ABCD/Folder4/ path
I would like to fetch "OrderOnline_ABCD" from the source.
| rex field=source "\/(?\w+_\w+)\/" | table sourceRex

its giving sourceRex value as Folder3. Can u please elaborate how its working?

0 Karma

inventsekar
SplunkTrust
SplunkTrust

@priyankamundargi, please check this quick ref guide on page 6,
https://www.splunk.com/content/dam/splunk2/pdfs/solution-guides/splunk-quick-reference-guide.pdf

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

priyankamundarg
Explorer

actually Folder3 is like Folder_3. is it breaking there?

0 Karma

inventsekar
SplunkTrust
SplunkTrust

exactly, yes, if folder3 is having an underscore, then, please check -

| rex field=source "\/(?\w+\_\w+)\/w+\/" | table sourceRex

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

priyankamundarg
Explorer

How to ignore "_" in tha path. Few \/(?\w+[0|1]_\w+)\/w+\/ kind is not working. Please help me with that. Because value can be "OrderOnline_ABCD" or "OrderOnlineABCD". the current rex is ignoring "OrderOnlineABCD"

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Pls try the updated query on the answer..

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

priyankamundarg
Explorer

I did not get. Can you please send it again?

0 Karma

haley_swarnapat
Path Finder

try this:

| rex field=source "(\/\w+){3}\/(?<rexOutput>\w+)\S+" | table rexOutput

inventsekar
SplunkTrust
SplunkTrust

+1...
Good one, Haley Swarnapati.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

priyankamundarg
Explorer

It worked perfectly. Thank you so much

0 Karma

priyankamundarg
Explorer

How to give 0 or 1 condition for ""? "" may or may not be there in the path.
Like "OrderOnline_ABCD" may have "OrderOnlineABCD" value. this value is gettimg ignored.
[0|1] OR [0,1] doesn't work here? \/(?\w+[0|1]_\w+)\/w+\/ its is not working. Kindly help

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...