Solved: Use regex to retrieve the source string

chrismok · ‎10-02-2014

Hi All,

As I want to retrieve part of the source name and inner join to the other source. I would like to use the regex to get the source. However I am not sure how to write it

Here the source name list

D:\\deploy\\logs\\uat\\20140929101121\\build1.log
//usr//bin//app1//log//dev//20140929100730//build2.log
//usr//bin//app1//log//dev//20140929100728//build1.log

And I would like to get the timestamp in the path.

20140929101121
20140929100730
20140929100728

The regex should be

 (\d+)(?=[\\\/]{2}[^\\\/]*$)

But I don't know how to implement to search query.

Regards,
Chris

chrismok · ‎10-02-2014

I found the solution. ..... The regex format is very different from javascript, .net.....

Here's my answer.

sourcetype=XXX| rex field=source "(\d+)(?=[\\\/](?.*)[\\\/]*$)"|table sss source

View solution in original post

meenuvn · ‎05-16-2016

Hi,
Need help with something similiar..Not able to generate the correct regex for this.
Source files and the needed extractions are shown below.
1) file.1000.1.log --Should return 1
2) file.1000.1.32.log -- Should return 1
3) file.1000.2.log -- Should return 2
4) file.1000.2.16.log --Should return 2
5) file.1000.2.32.log --Should return 2

chrismok · ‎10-02-2014

I found the solution. ..... The regex format is very different from javascript, .net.....

Here's my answer.

sourcetype=XXX| rex field=source "(\d+)(?=[\\\/](?.*)[\\\/]*$)"|table sss source

Use regex to retrieve the source string

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Use regex to retrieve the source string

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk