Hi all,
quick question:
How I can match with rex or regex a regular expression that match all of this field?
[/home/nheffernan/Waratek/apache-tomcat-7.0.52/webapps/host-manager.war]
[/home/nheffernan/Waratek/apache-tomcat-7.0.52/conf/context.xml]
[/home/nheffernan/Waratek/apache-tomcat-7.0.52/webapps/ROOT/META-INF/context.xml]
[/home/nheffernan/Waratek/apache-tomcat-7.0.52/webapps/docs/]
and so on..
These are raw data, and I would like extract a field that contain for each event the pathname
such as: path=/home/nheffernan/Waratek/apache-tomcat-7.0.52/webapps/host-manager.war
Thank you
Does this work?
rex "\[(?P<path>[^\]]*)\]
Thank you,
This one works: rex "[\/(?P[^]]*)]"
But how can I export one csv file that contains only this path?
index=main| rex "[(?P[^]]*)]" | outputlookup users.csv , but in the csv file I would like have only the rex field
Insert a fields
command before the outputlookup. Only the fields listed in the command will be written to the CSV.
yeah, but with fields command I have to tell to splunk the name of the rex field...
index=main| rex "[(?P[^]]*)]" | fields name rex field outputlookup users.csv
So give it a name.
index=main| rex "\[(?P<path>[^\]]*)\]" | fields path | outputlookup users.csv
seems works! And last question, how I can add it at my query in the framework?
search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex '[^*]' | fields path | outputlookup read_rules.csv")
search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex "[^*]" | fields path | outputlookup read_rules.csv")
I cannot use these ways
I'm not familiar with the framework. Why can you not use those ways?
No your query is perfect, but I have need to use it in the framework : ~)
What framework are you referring to?
splunk framework
Federica, looking at your framework question, the reason those won't work is because you're not creating the field.
For your reference, it'll benefit you in the long term.
rex "\[(?P<path>[^\]]*)\]"
The < path >
part of the rex, creates the field called path
Using the example you supplied, this is missing.
search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex '[[^*](?.+)]' | fields path | outputlookup read_rules.csv")
Try:
search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex '\[(?P<path>[^\]]*)\]' | fields path | outputlookup read_rules.csv")
Credit to @richgalloway for the rex statement.