I've got a situation where I'm trying to use rex to create a new field but I can't quite get it to work. And I'd really appreciate some help.
I have a field called foo which is made up of two values concatenated together and right padded with zero.
So foo = value1.value2, where value1 is 1 to 11 and value2 is four digits long. E.g.
foo=165730 - value1: 1, value2: 6573
foo=265730 - value1: 2, value2: 6573
foo=365730 - value1: 3, value2: 6573
foo=465730 - value1: 4, value2: 6573
foo=565730 - value1: 5, value2: 6573
foo=665730 - value1: 6, value2: 6573
foo=765730 - value1: 7, value2: 6573
foo=865730 - value1: 8, value2: 6573
foo=965730 - value1: 9, value2: 6573
foo=106573 - value1: 10, value2: 6573
foo=116573 - value1: 11, value2: 6573
etc.
Now I want to create a new field based on a lookup on value1, such that
If value1=1, newfield=THINGONE
If value1=2, newfield=THINGTWO
...
If value1=11, newfield=THINGELEVEN
I can completely replace the value of foo by stringing together a load of rex'es as follows:
| rex mode=sed field=foo "s/(^10[0-9]{4}$)/THINGTEN/g"
Or I can filter out just one field at a time with the following...
| regex foo="^10[0-9]{4}$(?<newfield>THINGTEN)"
I just can't work out how to keep the value in foo unchanged and add a new field based on the regex lookup. Is there any way of doing this?
Try this
... | eval fooX = foo | regex fooX="^10[0-9]{4}$(?<newfield>THINGTEN)"
Just create a copy of the foo field first...
Try this
... | eval fooX = foo | regex fooX="^10[0-9]{4}$(?<newfield>THINGTEN)"
Just create a copy of the foo field first...
Thanks! That will do the trick nicely! Simple and effective...