I am new to splunk..SO i have a log which has contents(events) in this format
tool_code: error_code (path1/path2/path3/filename1,line) path1.path2.path3.testname1
I wrote rex to extract filenames and testnames rex is
|rex field=_raw (?<UNW>\S+)\s+(?<UNWA>\S+)\s+(?<FILE_NAME>\S+)\s+(?<TEST_NAME>\S+)
this created table of this format (by using this command|table FILE_NAME, TEST_NAME)
FILE_NAME -------------------------------------- TEST_NAME
path1/path2/path3/filename1,line ------------ path1.path2.path3.testname1
but i want FILE_NAME to hold only the name(filename1) and not the path(we should extract the contents before the last slash and after the comma) and similarly TEST_NAME should only have testname1 and not the path.
kindly help me in achieving this
You created a field that is called "FILE_NAME". What you can do now, is make a new field using the split command:
`eval OnlyFileName = mvindex(split(FILE_NAME,"/"),-1)`
eval = make new field
mvindex(split = the split command
"/" = split by /
-1 = the last object in list.
continue spliting until you get what you want.
I recommend using this way which is much simpler than using regex all the time. takes much less time...