Splunk Search

What is the rex command to extract the last value from a source field?

simona2121
Path Finder

Hi .. I need to extract back123 from the source field. pls provide the entire rex command needed to fetch back123 to a new field.
eg:

source = /opensource/final/back123

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @simona2121 - Looks like you have several answers to try out :slightly_smiling_face: If one of them has worked, please click "Accept" below the best answer to resolve this post. Thank you!

0 Karma

lukejadamec
Super Champion

Joining the answer party...

Try this

source = "*opensource*" | dedup source | rex field=source ".*\/(?<new>.*)" | table source, new
0 Karma

lakromani
Builder

This should do:

... | rex field=source ".*\/(?<new>\S+)"

https://regex101.com/r/QEsDmB/1

0 Karma

sundareshr
Legend

Let's make it an even 4

... | rex field=source "\/(?<folder>[^\/]*)$"
0 Karma

woodcock
Esteemed Legend

Like this:

... | rex field=source ".*?(?<fn>[^\/]*)$"

gcusello
SplunkTrust
SplunkTrust

Try this:

 yoursearch | rex field=source ".*\/(?[^ ]+)" | table myfield

Bye.
Giuseppe

0 Karma

inventsekar
SplunkTrust
SplunkTrust

if that source is part of your event, then field=_raw is good.

yoursearch | rex field=_raw "final\/(?<rexField>.*)" | table rexField

if that source is splunk extracted source field, then field=source is good.

yoursearch | rex field=source "final\/(?<rexField>.*)" | table rexField
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...