I have a multivalue (MV) field "filetypes" with values such as:
test/Makefile.am,test/och_test.cc,test/fully1.py,24,FKP/pro.pl
I need to keep only the extension listed (such as am, cc, py, pl, etc..) so I have two questions:
A. The appropriate regular expression
B. Is it more appropriate to run a regex prior splitting a MV field or after?
Try like this. It'll create a new field with just the extn.
your base search with file filetype
| rex field=filetypes max_match=0 "(?<extns>\.\w+)"
Both of the above worked well...wondering if one less expensive than the other
Like this:
... | mvexpand filetypes | rex field=filetypes "^(?<file_prefix>.+)\.(?<file_suffix>[^\.]+)$"
Mine was geared towards enabling the later commands that you will surely be interested in doing. You can look at the Job Inspector
to compare efficiencies.
Try like this. It'll create a new field with just the extn.
your base search with file filetype
| rex field=filetypes max_match=0 "(?<extns>\.\w+)"