Solved: How to get values after the last /

Laya123 · ‎01-12-2015

Hi,

After using search command I got the following output for XYZ field

/mrIWeb/Images/SE/2.1/lib/qstudio/qcreator/qcore/QWidget.js
/mrIWeb/Images/SE/2.0/source/js/SurveyEngine.js
/mrIWeb/Images/SE/1.7.1/lib/qstudio/qcreator/qcomponent/BtnMatrix.js
/mrIWeb/Images/SE/1.8/lib/qstudio/qcreator/qcomponent/DragnDrop.js

but I dont want my output like this,

I want to display my output like

/mrIWeb/Images/SE/2.1
/mrIWeb/Images/SE/2.0
/mrIWeb/Images/SE/1.7.1
/mrIWeb/Images/SE/1.8

I got answer for this and thank you so much it is working, but i want 2 columns like

/mrIWeb/Images/SE/2.1                                           QWidget.js
/mrIWeb/Images/SE/2.0                                           SurveyEngine.js
/mrIWeb/Images/SE/1.7.1                                         BtnMatrix.js
/mrIWeb/Images/SE/1.8                                           DragnDrop.js

Can you help me in this

Thanks

MuS · ‎01-12-2015

Try this as regex:

your base search here | rex "^(.*[\\\/])(?<myLast>.+)" | table myLast

hope this helps ...

cheers, MuS

View solution in original post

Patient · ‎01-12-2015

Hello,

Try with this:

... | rex field=XYZ "(?<XYZ_trimmed>\w+);(?<*.js>\w+)"

MuS · ‎01-12-2015

Try this as regex:

your base search here | rex "^(.*[\\\/])(?<myLast>.+)" | table myLast

hope this helps ...

cheers, MuS

Laya123 · ‎01-12-2015

Thank you so much- MuS

Laya123 · ‎01-12-2015

hey I am not geeting accept button to accept it can you tell me how to accept it.

and also if you dont mind can you explain how you have used the rex command rex "^(.*[\\/])(?.+)" means what is meant by '^' and why used 3 '\'. this will help me to do more queries using 'rex'

Thank you

MuS · ‎01-12-2015

No problem I will break it down for you:

^(.*[\/])(?<myLast>.+)

translates into:

^ - matches the beginning of a string
(.*[\/]) - captures a matching group containing any character 0 or more times ending with a /
(?.+) - captures a named group containing any character 1 or more times

I removed the 3 \ because it was actually used before as universal regex for windows and unix path.
You can learn regex on any of the online tester like www.regexr.com or www.regexpal.com

cheers, MuS

Laya123 · ‎01-12-2015

Thank you so much- MuS, Its working

MuS · ‎01-12-2015

you're welcome - but could you please accept the answer that is working - thx 🙂

Laya123 · ‎01-12-2015

Thank you,

I am very new to this splunk tool

I tried using rex command but I am unable to get the results

I want only last portion (which highlighted in bold) from below results which is derived from XYZ field
/mrIWeb/Images/SE/2.1/lib/qstudio/qcreator/qcore/QWidget.js
/mrIWeb/Images/SE/2.0/source/js/SurveyEngine.js
/mrIWeb/Images/SE/1.7.1/lib/qstudio/qcreator/qcomponent/BtnMatrix.js
/mrIWeb/Images/SE/1.8/lib/qstudio/qcreator/qcomponent/DragnDrop.js

please help me to resolve this

Thanks

lukasz92 · ‎01-12-2015

Maybe you need to learn regular expressions?
There is a rex command, which can extract fields you want to have

How to get values after the last /

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk