Re: i want to write regular expression with the fi...

mahendra559 · ‎04-21-2020

i have a field name is file_name in that field value is there

ex: file_name= Operating System-Linux-Server-Support-GENVE0001VA.gmail.com.au-GEN-Adm02

in this field i want to display only "GENVE0001VA.gmail.com.au" this value remaining value i dont want please let me know how to write regex in splunk search query

wwhite12 · ‎04-21-2020

Assuming the naming convention is similar, you could try a capturing group with regex, this will just show the new field value in extracted fields or when specifically querying for the captured group.
Might look something like:

index=myindex sourcetype=myfiles 
| rex field=file_name ".+\-\w+\-\w+\-\w+\-(?<file_name>.+)\-.+"
| stats count by file_name

The regex might be a bit off but the main focus is the capturing group (?.+), this creates a field called file_name where the value would be GENVE0001VA.gmail.com.au.
This can also be predefined in Settings >> Fields >> Field Extractions

richgalloway · ‎04-21-2020

Please explain how to identify the part of file_name to extract.

---
If this reply helps you, Karma would be appreciated.

gcusello · ‎04-21-2020

Hi @mahendra559,
is there a rule in the name of the field to extract or in the log?
e.g. starts always with GEN or there's always the FQDN, or the field to extract is alwaysthe part of the log between the last two "-".

In this last case try something like this:

index=your_index
| rex field=file_name "^.*-(?<file_name>[^-]*)-\w+-\w+$"
| ...

that you can test at https://regex101.com/r/XZNTeG/1

Ciao.
Giuseppe

i want to write regular expression with the field i have a field called "file_name"

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...