Additional backup items: /db/cos7j.dump.Z /db/PSCSS.dump.Z /db/imqdb0152.dump.Z
I want to extract 0152 from this.
@shubhambhagat02,
Try
|rex "imqdb(?<MY_NUMBER>\d+[^.])"
I tried |rex field=_raw "imqdb(?\d+[^.])"|table MY_NUMBER but no result came
@shubhambhagat02, do you have <MY_NUMBER>
inside the group ?
@renjith.nair @sudosplunk
my original data is like
10/10/2010 - 15:59:39 --- process started ...
Additional backup items: /db/cos7j.dump.Z /db/PSCSS.dump.Z /db/imqdb0152.dump.Z
I tried
rex field=_raw "imqdb(?\d+)" also still number is not comming
The regex will not work if you do not specify a name for your name capturing group (?<>)
. Have a look at both the links below and you will see the difference.
Working regex: https://regex101.com/r/kLoHpn/1
Non-working regex: https://regex101.com/r/8bg9sI/1
I tried this with using group also still no result
It worked...
Thanks
Try this
|rex field=_raw “/\w+(?<test>\d{4}).”| table test
You can use
|rex field=_raw “/\w+(?<test>\d{4}).”
@shubhambhagat02,
Try
|rex "imqdb(?<MY_NUMBER>\d+[^.])"
@shubhambhagat02,
Renjith.nair's solution should work according to the sample you provided. I slightly modified the regex so that it will take less steps to find the match.
Add this to your search: your search | rex field=_raw "imqdb(?<MY_NUMBER>\d+)" | table MY_NUMBER