Hi .. I need to extract back123 from the source field. pls provide the entire rex command needed to fetch back123 to a new field.
eg:
source = /opensource/final/back123
Hi @simona2121 - Looks like you have several answers to try out
If one of them has worked, please click "Accept" below the best answer to resolve this post. Thank you!
Joining the answer party...
Try this
source = "*opensource*" | dedup source | rex field=source ".*\/(?<new>.*)" | table source, new
Let's make it an even 4
... | rex field=source "\/(?<folder>[^\/]*)$"
Like this:
... | rex field=source ".*?(?<fn>[^\/]*)$"
Try this:
yoursearch | rex field=source ".*\/(?[^ ]+)" | table myfield
Bye.
Giuseppe
if that source is part of your event, then field=_raw is good.
yoursearch | rex field=_raw "final\/(?<rexField>.*)" | table rexField
if that source is splunk extracted source field, then field=source is good.
yoursearch | rex field=source "final\/(?<rexField>.*)" | table rexField