I have the following Field named FileImported that is formatted the following way:
text_text_NEEDED EXTRACTION_text
An example of FileImported is:
22_ABC_FileID1564_Export
And I want "FileID1564" as a field named "Export" from the existing Fileimported field.
I have attempted Regex myself, but am not as experienced in it to get it working. What would be the regex needed to extract what I need based on the FileImported field format?
hey try this run anywhere search
| makeresults
| eval FileImported="22_ABC_FileID1564_Export sds_ABCsds_FileID15sdsd64_Export1ww"
| makemv FileImported
| mvexpand FileImported
| rex field=FileImported ".*_(?<Export>\w+)[-_]"
In your environment, you should write
<base_Search>| rex field=FileImported ".*_(?<Export>\w+)[-_]"
let me know if this helps!
Try this.
... | rex field=FileImported "(?:\w+_){2}(?<Export>[^_]+)_" | ...
BTW, regex101.com is a great site for testing regex extractions.
Hi @griffinpair,
Try this regex:
...|rex field=FileImported "([^_]+_){2}(?<Export>[^_]+)"