I have multiple logfiles like TEST_SRC_FR.txt, TEST_SRC_IN.txt, TEST_SRC_AU.txt which are my source files. Now i want to extract the last two letters like "FR" from TEST_SRC_FR.txt.
Any idea how to get them during search time.
Regards,
Pradipta
Sure!
... | rex field=source "(?<LastTwoLetters>..)\.txt$"
That assume they're the literal field source
and that they ALWAYS end with "txt".
Modifications can be made for other similar scenarios, but you'll have to be very specific in describing them. 🙂
Happy Splunking,
Rich
Thanks its also working, checking which one to use in my program
Regards,
Pradipta
try this run anywhere search:
| makeresults |eval _raw="TEST_SRC_FR.txt"|rex ".*_(?<name>\w{2})"
in your case you can use as
index=<indexname>| rex field=source ".*_(?<name>\w{2})"
also you can make this regex in props.conf
Great its working fine for me.
regards,
Pradipta