https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92730#M19262 <P>In case if your filename contains a <CODE>.</CODE> then</P> <PRE><CODE># For Unix style | rex field=&lt;fieldname&gt; "/(?&lt;newField&gt;[\w\d\.]+$)" </CODE></PRE> Mon, 21 Aug 2017 10:01:51 GMT koshyk 2017-08-21T10:01:51Z https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92724#M19256 <P>I am trying do a search for all exceptions and list the associated filename instead of the whole path+filename in my results table.</P> <P>I tried the following in my search but it didn't work:<BR /> Exception sourcetype=qagadc1 | rex ".<EM>?(?<EXCEPTION>(?:\w+.)+\w</EXCEPTION></EM>?Exception).<EM>" | rex field=source "(?<SOURCE>(/\w</SOURCE></EM>)+)/+(?<FNAME>\w+)+.*" |table source fname</FNAME></P> <P>my source structure is not unique, they are varies as follow:<BR /> /home/d1/d2/d3/fn1.log<BR /> /home/d1/d2/d3/d4/d5/fn2.out<BR /> /home/d1/d2/d3/d4/d5/d6/fn3.log<BR /><BR /> ...</P> <P>please help.</P> Fri, 12 Apr 2013 21:05:40 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92724#M19256 vincenty 2013-04-12T21:05:40Z https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92725#M19257 <P>To extract the last segment of a path from a field you can append this to your search:</P> <PRE><CODE> | eval field = replace(field, ".*/", "") </CODE></PRE> <P>Edit: If you want the last bit after the final dot you can modify the expression like this:</P> <PRE><CODE> | eval field = replace(field, ".*\.", "") </CODE></PRE> Fri, 12 Apr 2013 21:15:38 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92725#M19257 martin_mueller 2013-04-12T21:15:38Z https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92726#M19258 <P>actually, I am trying to get the filename extension (i.e fn2.out, fn3.log) as part of the "fname" returned. </P> <P>Tried appending what you suggested still does not give me fn3.log, or fn2.out etc.</P> Fri, 12 Apr 2013 21:48:49 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92726#M19258 vincenty 2013-04-12T21:48:49Z https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92727#M19259 <P>actually, I am trying to get the filename extension (i.e fn2.out, fn3.log) as part of the "fname" returned. </P> <P>Tried appending what you suggested still does not give me fn3.log, or fn2.out etc.</P> Fri, 12 Apr 2013 21:49:05 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92727#M19259 vincenty 2013-04-12T21:49:05Z https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92728#M19260 <P>actually, I am trying to get the filename extension (i.e fn2.out, fn3.log) as part of the "fname" returned. </P> <P>Tried appending what you suggested still does not give me fn3.log, or fn2.out etc.</P> Fri, 12 Apr 2013 21:49:31 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92728#M19260 vincenty 2013-04-12T21:49:31Z https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92729#M19261 <P>That's just a matter of modifying the expression, see my edited answer.</P> Fri, 12 Apr 2013 21:51:17 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92729#M19261 martin_mueller 2013-04-12T21:51:17Z https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92730#M19262 <P>In case if your filename contains a <CODE>.</CODE> then</P> <PRE><CODE># For Unix style | rex field=&lt;fieldname&gt; "/(?&lt;newField&gt;[\w\d\.]+$)" </CODE></PRE> Mon, 21 Aug 2017 10:01:51 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-filename-from-source/m-p/92730#M19262 koshyk 2017-08-21T10:01:51Z