Hello Sir ,
I am new for this Regular expression . in our log has different value for field.
want to remove char upto first minus(-) from begining and want to print substing till second minus(-)
Example:
ALL_CAT_12-AP_Adobe-Adobe_Ident-Defaultgp-NONE ------------------> AP_Adobe
BLO_CAT_12-DefaultGroup-SH_Auth-DefaultGroup-NONE ------------->DefaultGroup
OTHER-Default-SH_Auth-DefaultGroup-NONE------------------------------->Default
Thanks
Like this:
| makeresults
| eval raw="ALL_CAT_12-AP_Adobe-Adobe_Ident-Defaultgp-NONE BLO_CAT_12-DefaultGroup-SH_Auth-DefaultGroup-NONE OTHER-Default-SH_Auth-DefaultGroup-NONE"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex "^[^-]+-(?<myDestField>[^-]+)"
NOTE: You may need to change rex
on the last line to rex field=mySourceField
.
Hi All.. any ideas/suggestions about how makemv and mvexpand works on this above query please.
Thanks .. now it is working.
Be sure to UpVote
any useful comments or answers and pick the best answer and click Accept
to close the question.
try this
| makeresults
| eval string="ALL_CAT_12-AP_Adobe-Adobe_Ident-Defaultgp-NONE"
| rex field=string ".*?\-(?<output>[^\-]+).+"
| table string output