What is the rex command to extract the last value ...

simona2121 · ‎09-16-2016

Hi .. I need to extract back123 from the source field. pls provide the entire rex command needed to fetch back123 to a new field.
eg:

source = /opensource/final/back123

aaraneta_splunk · ‎09-29-2016

Hi @simona2121 - Looks like you have several answers to try out 🙂 If one of them has worked, please click "Accept" below the best answer to resolve this post. Thank you!

lukejadamec · ‎09-29-2016

Joining the answer party...

Try this

source = "*opensource*" | dedup source | rex field=source ".*\/(?<new>.*)" | table source, new

lakromani · ‎09-29-2016

This should do:

... | rex field=source ".*\/(?<new>\S+)"

https://regex101.com/r/QEsDmB/1

sundareshr · ‎09-16-2016

Let's make it an even 4

... | rex field=source "\/(?<folder>[^\/]*)$"

woodcock · ‎09-16-2016

Like this:

... | rex field=source ".*?(?<fn>[^\/]*)$"

gcusello · ‎09-16-2016

Try this:

 yoursearch | rex field=source ".*\/(?[^ ]+)" | table myfield

Bye.
Giuseppe

inventsekar · ‎09-16-2016

if that source is part of your event, then field=_raw is good.

yoursearch | rex field=_raw "final\/(?<rexField>.*)" | table rexField

if that source is splunk extracted source field, then field=source is good.

yoursearch | rex field=source "final\/(?<rexField>.*)" | table rexField

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

What is the rex command to extract the last value from a source field?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...