regex help

mariof · ‎06-22-2012

Hi,
I'm new to Splunk so hope:
1) I'm not asking a stupid question
2) someone can help

Anyway, I want to extract a hostname and user name from a "source" at search time.
I know I need to "| rex field=source" but can't figure out the syntax as yet.

the source I have is in the following format:
/export/Data/History/servername_user

Kind Regards

Mario

mikelanghorst · ‎06-22-2012

I'd probably use:
rex field=source "(?i)\/export\/data\/history\/(?P[^_]+)_(?\w+)"

Splitting out both host and user

mariof · ‎06-25-2012

Thank you both for your help (so far).
I was hoping to use the hostname and user in a table, would that be possible considering that these variables are not permanent?

MHibbin · ‎06-22-2012

rex field=source "(?i)\/export\/data\/history\/(?P<hostName>\w+)\_user"
I believe should do it..

You can also use the IFX (Interactive Field Extractor) to help with you extractions/regex.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

Note, that rex will not make a permanent field, only one that exists in the context of the present search string.

This reference is pretty good for regex

http://www.regular-expressions.info/reference.html

Regards,

Matt

regex help

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life