New to regular expression....
I'm trying to create a new field called Application that is populated from a part of an results from an existing field called AppDomain. Here's my query to show results
index=webapps host=order* AppDomain="*OrderProcess*" "*error*" OR "*exception*" | rex field=AppDomain "(?)" | stats count by AppDomain
AppDomain
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677359969243
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677360750538
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677362395141
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677362906184
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677397950430
/LM/W3SVC/4/ROOT/OrderProcess-1-131297882853714324
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678334631161
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678335308894
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678335390763
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678335627626
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678336195945
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678337194875
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131297882853714324
/LM/W3SVC/5/ROOT/OrderProcessMVC-2-131296677773203879
/LM/W3SVC/5/ROOT/OrderProcessMVC-2-131296678051860064
/LM/W3SVC/5/ROOT/OrderProcessMVC-2-131296678052119089
/LM/W3SVC/5/ROOT/OrderProcessMVC-2-131297720946816171
I'm only interested in the the OrderProcess portion so the regular expression should begin after the ROOT/ and before -1 or -2 -d
If the position of the OrderProcess portion is fixed (5th segment from start), try like this
index=webapps host=order* AppDomain="*OrderProcess*" "*error*" OR "*exception*" | rex field=AppDomain "^\/([^\/]+\/){4}(?<AppDomain>[^-]+)" | stats count by AppDomain
If the position of the OrderProcess portion is fixed (5th segment from start), try like this
index=webapps host=order* AppDomain="*OrderProcess*" "*error*" OR "*exception*" | rex field=AppDomain "^\/([^\/]+\/){4}(?<AppDomain>[^-]+)" | stats count by AppDomain
Thanks @somesoni2, that works great! Would you mind explaining what the regex does to cut off the end of the query and start with appdomain?
The ^\/
denotes the start of the event, including first forward slash. From there ([^\/]+\/)
captures all characters till next forward slash, including forward slash (e.g. LM/
, or W3SVC/
etc). The {4}
denotes 4 such values, so covers till /anything/anything/anything/anything/
, e.g. /LM/W3SVC/5/ROOT/
. Then it captures everything till first hypher, that is the values that you're interested in.
Thanks that helps me read the regex and for future reference