Solved: Use regex to retrieve the source string

chrismok · ‎10-02-2014

Hi All,

As I want to retrieve part of the source name and inner join to the other source. I would like to use the regex to get the source. However I am not sure how to write it

Here the source name list

D:\\deploy\\logs\\uat\\20140929101121\\build1.log
//usr//bin//app1//log//dev//20140929100730//build2.log
//usr//bin//app1//log//dev//20140929100728//build1.log

And I would like to get the timestamp in the path.

20140929101121
20140929100730
20140929100728

The regex should be

 (\d+)(?=[\\\/]{2}[^\\\/]*$)

But I don't know how to implement to search query.

Regards,
Chris

chrismok · ‎10-02-2014

I found the solution. ..... The regex format is very different from javascript, .net.....

Here's my answer.

sourcetype=XXX| rex field=source "(\d+)(?=[\\\/](?.*)[\\\/]*$)"|table sss source

View solution in original post

meenuvn · ‎05-16-2016

Hi,
Need help with something similiar..Not able to generate the correct regex for this.
Source files and the needed extractions are shown below.
1) file.1000.1.log --Should return 1
2) file.1000.1.32.log -- Should return 1
3) file.1000.2.log -- Should return 2
4) file.1000.2.16.log --Should return 2
5) file.1000.2.32.log --Should return 2

chrismok · ‎10-02-2014

I found the solution. ..... The regex format is very different from javascript, .net.....

Here's my answer.

sourcetype=XXX| rex field=source "(\d+)(?=[\\\/](?.*)[\\\/]*$)"|table sss source

Use regex to retrieve the source string

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation