I have an existing field named source which has a sample format of:
/home/user/script.schema.table.date-time.log
How can I write the regex to parse out schema ? (i.e parse out text between first and second . )
How can I write the regex to parse out table? (i.e parse out text between second and third . )
This should do it
In-line in search
...| rex field=source "\/home\/([^\/]+)\/([^\.]+)\.(?<schema>[^\.]+)\.(?<table>[^\.]+)\."
In Props.conf (as calculated field)
[YourSourceType]
EVAL-schema = replace(source,"(\/home\/[^\/]+\/[^\.]+\.)([^\.]+)(\.[^\.]+)(.*)","\2")
EVAL-table= replace(source,"(\/home\/[^\/]+\/[^\.]+\.)([^\.]+)(\.[^\.]+)(.*)","\3")
In props.conf and transforms.conf (as field extraction)
props.conf
[YourSourceType]
TRANSFORMS-getfieldsfromsource = fieldsfromsource
transforms.conf
[fieldsfromsource]
SOURCE_KEY=MetaData:Source
REGEX=\/home\/([^\/]+)\/([^\.]+)\.(?<schema>[^\.]+)\.(?<table>[^\.]+)\.
I believe something like this should work:
/home/\w+/[^\.]+\.(?<schema>[^\.]+)\.(?<table>[^\.]+)
This will give you two fields seg1 with schema and seg2 with table
... | rex field=source "[^\.]+\.(?<seg1>[^\.]+)\.(?<seg2>[^\.]+)\.") | table seg1 seg2