I have a field with values like this "NENAME1/Some text:romc"
I would like to somethink like this eval field=
, but this might not necessarily be the way to do it, to end up with a field like this "romc". So effectively everything after the last :
.
What is the best way of achieving this? Do I use rex
or is there some other clever way?
Yes, you can use rex. Here is one example. I'm sure there are better regular expressions to use, but this should give you an idea (not sure if all of your fields will be formatted just like your example)
origfield would be the original field you want to pull the data out of, and newfield would be the result you want.
....| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"
Yes, you can use rex. Here is one example. I'm sure there are better regular expressions to use, but this should give you an idea (not sure if all of your fields will be formatted just like your example)
origfield would be the original field you want to pull the data out of, and newfield would be the result you want.
....| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"
could not get that to work I was getting Error in 'rex' command: Encountered the following error while compiling the regex ':(?[^:]+)$': Regex: unrecognized character after (? or (?-
hmm...I think maybe a posting error on my part, because everyting in the angled brackets is missing.
...| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"
Ok, apparently I need to read up on how to post correctly on answers ...one more shot
...| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"
Nope, still no angle brackets.
But essentially after the ? you need a left angle bracket, then the name of the new field you want to use, then a right angle bracket. The rest of the regex should be fine as posted.
| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"
tks very much, where can I play with rex insplunk so I can see what part of the field it is extracting? something like this
I typically use a site like that to verify my regex is correct before moving onto splunk.
In splunk, you can run the search with your rex command, and then click on the new field you created to see what's in there - either on each event or in the list of fields on the left hand side. You could also pipe your search to table or stats to see what values actually show up there, e.g. ... | stats count by yournewfield
Splunk also has a tool to help you create extractions by highlighting data across multiple events. Expand one of your events, click the Event Actions button and choose Extract Fields: http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX
tks, but splunk regex is different, or so it seems to me? I am looking for that field extractor but can't find the one that i have seen on previous versions, similar to this