topic Re: Splunk rex help: regex for windows and unix path in Splunk Search

Splunk rex help: regex for windows and unix path

hbustam8063 — Thu, 31 Oct 2019 02:10:32 GMT

Hi, I am a newbie to SPL. I am trying to write a regex that will extract the unix/windows path from the full_log field. I am having no luck with that. Can you please help? The following regex is for Windows. Thank you for your help.
HB

index="newindx" agent.name="*-svrname-*" "*checksum*" | rex field=full_log "^File\s+(?<checksum_changed>^\'[a-zA-Z]:\\[\\\S|*\S]?.*'$)\s+checksum\s+changed.+"

full_log: File '/apps/data/db.data' checksum changed.
full_log: File 'c:\windows\system32\xpsservices.dll' checksum changed.

Re: Splunk rex help: regex for windows and unix path

richgalloway — Thu, 31 Oct 2019 02:46:21 GMT

Try ... | rex field=full_log "File '(?<path>.*)[\\\/]\w+\.\w+'". If that doesn't work, you may need more escape characters so try ...| rex field=full_log "File '(?<path>.*)[\\\\\/]\w+\.\w+'".

Re: Splunk rex help: regex for windows and unix path

vikcee — Thu, 31 Oct 2019 05:42:09 GMT

@hbustam8063

You can also use this.

...|rex " ( full_log: File\s\')(?<Path>(.*)+)[\/\\]\w+\.\w+'"

and to check your rex :- https://rubular.com/r/M2QDmpGvQr0Yts

Re: Splunk rex help: regex for windows and unix path

darrenfuller — Tue, 19 Nov 2019 16:09:17 GMT

Here is my attempt...

rex field=full_log "File\s\'(?<pathname>.+[\/\\])[^\\\/]+\'\schecksum\schanged\."

https://regex101.com/r/87ro6z/1

Re: Splunk rex help: regex for windows and unix path

jpolvino — Fri, 22 Nov 2019 16:59:28 GMT

Keep it simple!

rex field=full_log "^full_log:\sFile\s'(?<filename>[^']+)'\schecksum changed\."

Rather than trying to guess all legal characters, why not just tell rex "anything but a single quote" ?

This strategy will save you a lot of time, improve readability, and make your extractions much more durable.

See regex: https://regex101.com/r/iz1eYY/1

Re: Splunk rex help: regex for windows and unix path

woodcock — Fri, 22 Nov 2019 17:08:29 GMT

Like this:

... | rex field=full_log "'(?<NewFieldNameHere>[^']+)'"