0

I am new to splunk..SO i have a log which has contents(events) in this format

tool_code: error_code (path1/path2/path3/filename1,line) path1.path2.path3.testname1

I wrote rex to extract filenames and testnames rex is 

|rex field=_raw (?<UNW>\S+)\s+(?<UNWA>\S+)\s+(?<FILE_NAME>\S+)\s+(?<TEST_NAME>\S+)

this created table of this format (by using this command|table FILE_NAME, TEST_NAME)

FILE_NAME -------------------------------------- TEST_NAME

path1/path2/path3/filename1,line ------------ path1.path2.path3.testname1

but i want FILE_NAME to hold only the name(filename1) and not the path(we should extract the contents before the last slash and after the comma) and similarly TEST_NAME should only have testname1 and not the path.

kindly help me in achieving this

Priya Ramakrishnan
  • 45
  • 7

3 Answers3

1

You created a field that is called "FILE_NAME". What you can do now, is make a new field using the split command:

   `eval OnlyFileName = mvindex(split(FILE_NAME,"/"),-1)`

eval = make new field

mvindex(split = the split command

"/" = split by /

-1 = the last object in list.

continue spliting until you get what you want.

I recommend using this way which is much simpler than using regex all the time. takes much less time...

Gil Kor
  • 314
  • 1
  • 2
  • 9
1

Try this regular expression.

| rex "[\S\/]+\/(?<FILE_NAME>\S+),\w+\)\s+[\S\.]+\.(?<TEST_NAME>\w+)$"
RichG
  • 9,063
  • 2
  • 18
  • 29
0

I would do this in a couple distinct steps:

| rex field=_raw ":\s+error_code\W+(?<full_path>[^,]+),(?<line>[^)]+)\W+(?<test_path>.+)"

Followed by:

| rex field=full_path "(?<filename>\w+)$"

Followed by:

| rex field=test_path "(?<testname>[^\.]+)$"

Presuming, of course, there are no dots in the "testname" - this will work :)

warren
  • 32,620
  • 21
  • 85
  • 124