regex help

SS1 · ‎05-10-2021

Hi,

I need some help with the regex,

Currently we have below two paths, note the naming format is different for the log files

\\path\\to\\my\\app\\folder\userx-test-cpuissue.log
\\path\\to\\my\\app\\folder\usery-cpuissue.log

I wrote a regex to extract user and issue, but it is not able to pick userx since the log format is different i.e. userx-test-cpuissue.log. How do i wrote a single regex which could extract both the naming formats?

\\\\(?<source>\w+)-(?<issue>\w+)\.log$

abowesman · ‎05-10-2021

You could try this

| rex field=log "\\\\(?<user>\w+)-(?<issue>.*)\.log$"

where your 'issue' field extraction takes _any_ character up to the .log after the user rather than \w.

Shown in this example

| makeresults
| eval log=split("\\\\path\\\\to\\\\my\\\\app\\\\folder\\userx-test-cpuissue.log,\\\\path\\\\to\\\\my\\\\app\\\\folder\\usery-cpuissue.log",",")
| mvexpand log
| rex field=log "\\\\(?<user>\w+)-(?<issue>.*)\.log$"

Hope this helps

SS1 · ‎05-10-2021

thanks for the response, although it is extracting just userx while i want it to extract userx-test. is that possible?

ITWhisperer · ‎05-10-2021

\\(?<source>[\w\-]+)\-(?<issue>\w+)\.log$

ITWhisperer · ‎05-10-2021

\\(?<source>\w+)(\-\w+)?\-(?<issue>\w+)\.log$

regex help

chart

field extraction

regex

rex

stats

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Join the Conversation

regex help