I am trying to extract one name from source using rex.
index=*source=* | rex field=source "\\\\\\\domain\\\prod\\\(?<Application>.+?(?=\\\))
Above query list me the application names from the source. But now I want to join another different source.
\\\\\\domain\\\Logs\\\Prod\\\cluster1\\\(?<Application>.+?(?=\\\))"
So I tried joining both the rex to get the Application names.
index=* source=* | rex field=source "\\\\\\\domain\\\prod\\\(?<Application>.+?(?=\\\)) & \\\\\\domain\\\Logs\\\Prod\\\cluster1\\\(?<Application>.+?(?=\\\))"
I thought it will extract the names from both the source locations but it is not working.
Hi,
try this solution.
| rex field=source "(?J)(?:\\\\\\\domain\\\prod\\\(?<Application>.+?)(?=\\\))|(?:\\\\\\\domain\\\Logs\\\Prod\\\cluster1\\\(?<Application>.+?(?=\\\)))"
@cpetterborg: And that's where you are wrong 😉 --> look up (?J)
😛
It didn't worked. "Regex: missing closing parenthesis" I have added ) at the end and ran without error but only showed application from one path.
@ibob0304 if it worked for you, I would apprechiate if you would accept my answer 😉
Why not limit the | construct to only the part of the regex that has multiple options?
index=* source=* | rex field=source "\\\\\\\domain(\\\prod\\\|\\\Logs\\\Prod\\\cluster1\\\)(?<Application>.+?(?=\\\))
Alternatively, just add 2 separate rex commands for each flavor. I'd especially recommend that if you expect to be adding more variants in the future, because otherwise the regex will become very hard to read.
You cannot have two named capture groups with the same name in a single rex
. That means that in your rex
you have Application
in two different capture groups. This is not allowed. Also, I think that you are trying to do the joining of the two with the &
, which also will break it all. Post some example data here and you'll probably get an answer which will help you get the data that you want.