Hi all,
I have this expression to extract the character part of one string:
... | rex field=Equipment "^(?^[a-zA-Z]+)"
The field `Equipment` has content like MC01. I need the character part, in this case: MC and with the above search, it works like a charm.
To make this field extraction permanent, i tried:
My props.conf
[sourcetype1]
...
REPORT-test = TEST
And in transforms.conf:
[TEST]
SOURCE_KEY = Equipment
REGEX = ^(?[\d+$])
But doesn't work (i can't see the new field in a search after restarting Splunk). I think that inside `transforms.conf` the regular expression must be different (i don't know) because when i remove the ^ at beginning of regex (to do a test), I can see the field in search with 0 and 1 values.
Any suggestion?
↧