topic Re: How to extract only the part of filename using regex expression? in Splunk Enterprise

How to extract only the part of filename using regex expression?

Ashwini008 — Tue, 23 Feb 2021 14:19:46 GMT

I have following file indexed

rw-r--r-- 1 dmu interface 7206 Jan 27 01:46 a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg
rw-r--r-- 1 dum interface 366Jan 27 02:45 c+d.zpettime.abcdpd1fo.600.2.20210127020002.gpg.

I need to capture only the following part from the filename

zpettime.abcdpd1fo.600
zgeypynd.pcsdatei.600

I am using this regex which is helping to capture only the filename from source i.e.a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg

| rex field=source ".*\/(?<filename>.*)$"

I want to extract after the first dot(.) till 600 number of the filename i.e. zgeypynd.pcsdatei.600 . Please help me with rex expression

Re: How to extract only the part of filename using regex expression?

scelikok — Tue, 23 Feb 2021 14:23:34 GMT

Hi @Ashwini008,

You can use below sample props.conf and transforms.conf in your indexers; you may need to play with regex to capture the correct part of filename.

props.conf [source::///dmd/archivy/*.gpg] TRANSFORMS-replace_source = replacesourcefilename transforms.conf [replacesourcefilename] SOURCE_KEY = MetaData:Source REGEX = \w\+\w\.(\w+\.\w+.\d+)\. DEST_KEY = MetaData:Source FORMAT= source::$1.gpg

Re: How to extract only the part of filename using regex expression?

Ashwini008 — Wed, 24 Feb 2021 05:17:31 GMT

@scelikok Thank you but i am seeking help on regex expression .

@martin_mueller @cpetterborg @somesoni2 @richgalloway could you please suggest?

Re: How to extract only the part of filename using regex expression?

scelikok — Wed, 24 Feb 2021 05:41:54 GMT

Hi @Ashwini008,

It was mentioned indexing before, that is why I put conf files. You can use below rex command;

|rex field=source "\w\+\w\.(?<filename>\w+\.\w+.\d+)\."

Re: How to extract only the part of filename using regex expression?

Ashwini008 — Wed, 24 Feb 2021 06:07:34 GMT

@scelikok Thank you . It worked as expected.

Re: How to extract only the part of filename using regex expression?

jotne — Wed, 24 Feb 2021 08:58:58 GMT

Here is an other regex. It uses the time as reference, then skip all until first dot.

\d+:\d+ [^.]+\.(?<file>.*?\d+)\.

Re: How to extract only the part of filename using regex expression?

cpetterborg — Wed, 24 Feb 2021 14:37:13 GMT

The following run-anywhere search string uses a rex command which will produce the results you want from the two examples provided:

| makeresults | eval source="a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg" | rex field=source "^[^\.]*\.(?<filename>.*\.600)"

The first part ^[^.]*\. is used to get rid of anything before the first .

The rest just captures the file name unto and including the 600.

This is also assuming that the filename is in the source , since what you seems to indicate that, but you can substitute whatever field works.