Solved: How to extract part of the search string?

sarit_s · ‎05-30-2019

Hello
I have a source path which from I want to extract 2 parts, each part to a different field

this is the path :

 /splunkdev/copyFilesAmerFDM.log

I want to extract "Amer" (can be anything, just always will be after "copyFiles"
and FDM (also can be anything will be always before .log)

this is what i came to but it is not working:

| rex field=source \/splunkdev\/copyFiles(?<Region>\w+)

Thanks

martinpu · ‎05-30-2019

Try this:

  |rex field=source  "\/splunkdev\/copyFiles(?<Region>[A-Z]{2}|[A-Z][a-z]+)(?<Field>[a-zA-Z]*)\.log"

martinpu · ‎05-30-2019

Try this:

  |rex field=source  "\/splunkdev\/copyFiles(?<Region>[A-Z]{2}|[A-Z][a-z]+)(?<Field>[a-zA-Z]*)\.log"

sarit_s · ‎05-30-2019

perfect! thanks

koshyk · ‎05-30-2019

Please try

 | rex field=source "\/copyFiles(?<Region>[A-Za-z]+))"

If you want to Split FDM Part, then

| rex field=source "\/copyFiles(?<Region>[A-Za-z]+)(?<fdmField>FDM).log"

DavidHourani · ‎05-30-2019

Hi @sarit_s,

Try this one to capture everything and to stop right before the FDM :

 | rex field=source "\/copyFiles(?<Region>[A-Z][a-z]+)"

Cheers,
David

sarit_s · ‎05-30-2019

thanks David
it is catching only Amer, but if i have Region looks li "SA" for example it is not taking it

also, how can i take the FDM part ?

How to extract part of the search string?