I have the following field value in field script_field
.
Test script /name/name/check.sh ran
VM Script - xi2v
I want this field to have the value till ran
word.
Test script /name/name/check.sh ran
should be retained in script_field
field. Anything after ran
word should be discarded.
The regex should be generic, as the value after ran
word keeps on changing.
I am trying to achieve this using the below.
| rex mode=sed field=script_field "s/(ran)//g"
Try this
rex field=script_field "(?<new_field>.*ran)"
Full working example
| makeresults | eval script_field = "Test script /name/name/check.sh ran VM Script - xi2v" | rex field=script_field "(?<new_field>.*ran)"
Or
| makeresults | eval script_field = "Test script /name/name/check.sh ran VM Script - xi2v" | rex field=script_field "(?<script_field>.*ran)"
To over write the existing field
Try this
rex field=script_field "(?<new_field>.*ran)"
Full working example
| makeresults | eval script_field = "Test script /name/name/check.sh ran VM Script - xi2v" | rex field=script_field "(?<new_field>.*ran)"
Or
| makeresults | eval script_field = "Test script /name/name/check.sh ran VM Script - xi2v" | rex field=script_field "(?<script_field>.*ran)"
To over write the existing field
Thank you.
But this is not working for real time search or dashboards.
Works fine for normal searches and dashboards.
I realized that i should not enter it in Source editor.
I should enter it in search string.
Works for real time as well.
You does not post what the problem is, but let me guess this solves it.
https://answers.splunk.com/answers/756/how-can-i-include-greater-less-than-signs-in-a-search-in-my-a...