My regex to extract a file from a source field works: [^/]*(?=($|\?))
For example:
/nfs/tibcosoftware/Splunk/impactAnalysis/freight/TestProject/1.0-SNAPSHOT-31/defaultVars/folder/defaultVars.substvar
returns
defaultVars.substvar
See here - http://www.regexr.com/3bvp8
But when I try using this in the rex search command, I cannot get the same result. Why?
sourcetype=tibco_ia | rex field=source "(?<iaFileName>.*)[^/]*(?=($|\?))" | table iaFileName
This returns full file path - /nfs/tibcosoftware/Splunk/impactAnalysis/freight/TestProject/1.0-SNAPSHOT-31/defaultVars/folder/defaultVars.substvar
, but I expected to get defaultVars.substvar
Please advise?
Try something like this
sourcetype=tibco_ia | rex field=source ".*/(?<iaFileName>.*)$" | table iaFileName
Try something like this
sourcetype=tibco_ia | rex field=source ".*/(?<iaFileName>.*)$" | table iaFileName
This is the simplest answer on this query so far.