topic Re: How do I extract the file path up to a variable number of '\'s? in Splunk Search

How do I extract the file path up to a variable number of '\'s?

ChrisCLewis — Thu, 15 Nov 2018 16:39:49 GMT

Good afternoon,

Many thanks in advance for any advice....

I am looking to extract the file path up to a variable number of back slashes

C:\a\b\c\d\e
C:\a\b\c\d\e\f\g
C:\a\b\c\....\n

I've looked at makemv, split, extract, regex but I can't see a way to get them to work for a variable number.

Eventually, I would like a form so someone can quickly choose how far down a path to go.

I would like to show how many entries match the path as well as the paths.

Regards

Re: How do I extract the file path up to a variable number of '\'s?

FrankVl — Fri, 16 Nov 2018 12:22:55 GMT

Like this?
(?<path>C:\\[^\\]+(?:\\[^\\]+){2})
Vary the number between the {} to vary the number of segments extracted (can also be 0).
https://regex101.com/r/wT5V6A/1

And you can tokenize that by replacing the number with $number_token$ or something like that.

Update as per comments below. In Splunk search bar, this would look like this: |rex field=full_path "(?<selected_path>.:\\\[^\\\]+(?:\\\[^\\\]+){2})"

Re: How do I extract the file path up to a variable number of '\'s?

ChrisCLewis — Tue, 29 Sep 2020 22:04:46 GMT

Many thanks for your help, it is working in regex101 but not on the data

|rex field=_raw (?.:\[^\]+(?:\[^\]+){$number_token$})

I did change "(?C:\" to "(?.:\" as path letter can change.

I've also used the field name in place of _raw and a number instead of the token

It is finding results but not pulling anything out into 'path'

Re: How do I extract the file path up to a variable number of '\'s?

FrankVl — Mon, 19 Nov 2018 13:10:15 GMT

Can you please use the 101010 button in the editor toolbar to post your search code as code, now certain special characters are disappearing. I'm guessing perhaps the escaping of the \ isn't working perfectly, but that's a bit hard to say with the search code being messed up by the splunk-answers board software.

Otherwise try and take a screenshot and upload that somewhere to share.

Re: How do I extract the file path up to a variable number of '\'s?

FrankVl — Mon, 19 Nov 2018 13:14:39 GMT

Played around with it myself a bit, looks like it needs tripple backslash to result in actual backslash match in rex command.

Try this run-anywhere query incl. sample data:

| makeresults | eval full_path="C:\a\b\c\d\e" |rex field=full_path "(?<selected_path>.:\\\[^\\\]+(?:\\\[^\\\]+){2})"

Re: How do I extract the file path up to a variable number of '\'s?

ChrisCLewis — Mon, 19 Nov 2018 13:28:19 GMT

Many thanks for the speedy (and working) update.

It's working perfectly - now to really get to grips with regex....