Solved: How to extract fields from source?

karthi2809 · ‎10-25-2024

How to extract fields from below source.

/audit/logs/QTEST/qtestw-core_server4-core_server4.log

I need extract QTEST as environment qtestw as hostname core_server4 as component core_server4.log as filename

gcusello · ‎10-25-2024

Hi @karthi2809 ,

you can use this regex:

| rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)"

you can test this regex at https://regex101.com/r/0VJvAw/1

Ciao.

Giuseppe

View solution in original post

Jawahir · ‎10-25-2024

Try this :

<your_search>|rex field=source "\/audit\/logs\/(?<environment>[^\/]*)\/(?<hostname>[^-]*)\-(?<component>[^-]*)\-(?<filename>.*$)"

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

gcusello · ‎10-25-2024

Hi @karthi2809 ,

you can use this regex:

| rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)"

you can test this regex at https://regex101.com/r/0VJvAw/1

Ciao.

Giuseppe

How to extract fields from source?

fields

If you find this solution helpful, please consider accepting it and awarding karma points !!

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

How to extract fields from source?

fields

If you find this solution helpful, please consider accepting it and awarding karma points !!

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+