https://community.splunk.com/t5/Splunk-Search/Fields-with-and-without-spaces/m-p/55022#M13426 <P>On my portal I have Solaris web logs from which I must extract file names that were downloaded by the end user. These files come from many different sources, individuals and companies. Sometimes the filenames have spaces in them and sometimes they do not. They are intermixed in the logs. </P> <P>These filenames have spaces in them:</P> <PRE><CODE>/krbox/resources/SW CH 32 0 2012-11-16.pdf /krbox/system/platform/krbox304b/Attachment 4 111026M123B.pdf /krbox/system/platform/krbox304b/Attachment 1 111026M121C-704.pdf /krbox/system/platform/krbox304b/Attachment 6 Functional Test Logs.zip </CODE></PRE> <P>While these do not:</P> <PRE><CODE>/krbox/reference/publications/XARP/cnf/tb11-5895-1893-13.pdf /krbox/system/platform/krbox304b/Attachment_7_D0206-001_KRBOX-304B_RS1Testing.pdf /krbox/system/platform/krbox304b/Attachment_1_111026M121C-704.pdf </CODE></PRE> <P>This is how they might look in the actual log:</P> <PRE><CODE>/krbox/reference/publications/XARP/cnf/tb11-5895-1893-13.pdf /krbox/resources/SW CH 32 0 2012-11-16.pdf /krbox/system/platform/krbox304b/Attachment_7_D0206-001_KRBOX-304B_RS1Testing.pdf /krbox/system/platform/krbox304b/Attachment 1 111026M121C-704.pdf /krbox/system/platform/krbox304b/Attachment 6 Functional Test Logs.zip /krbox/system/platform/krbox304b/Attachment_1_111026M121C-704.pdf /krbox/system/platform/krbox304b/Attachment 4 111026M123B.pdf </CODE></PRE> <P>I normally use the slash “/” as the delimiter in multi value fields to extract the filename. How can I extract the filenames regardless of the spaces? </P> Tue, 04 Jun 2013 18:31:01 GMT kmattern 2013-06-04T18:31:01Z https://community.splunk.com/t5/Splunk-Search/Fields-with-and-without-spaces/m-p/55022#M13426 <P>On my portal I have Solaris web logs from which I must extract file names that were downloaded by the end user. These files come from many different sources, individuals and companies. Sometimes the filenames have spaces in them and sometimes they do not. They are intermixed in the logs. </P> <P>These filenames have spaces in them:</P> <PRE><CODE>/krbox/resources/SW CH 32 0 2012-11-16.pdf /krbox/system/platform/krbox304b/Attachment 4 111026M123B.pdf /krbox/system/platform/krbox304b/Attachment 1 111026M121C-704.pdf /krbox/system/platform/krbox304b/Attachment 6 Functional Test Logs.zip </CODE></PRE> <P>While these do not:</P> <PRE><CODE>/krbox/reference/publications/XARP/cnf/tb11-5895-1893-13.pdf /krbox/system/platform/krbox304b/Attachment_7_D0206-001_KRBOX-304B_RS1Testing.pdf /krbox/system/platform/krbox304b/Attachment_1_111026M121C-704.pdf </CODE></PRE> <P>This is how they might look in the actual log:</P> <PRE><CODE>/krbox/reference/publications/XARP/cnf/tb11-5895-1893-13.pdf /krbox/resources/SW CH 32 0 2012-11-16.pdf /krbox/system/platform/krbox304b/Attachment_7_D0206-001_KRBOX-304B_RS1Testing.pdf /krbox/system/platform/krbox304b/Attachment 1 111026M121C-704.pdf /krbox/system/platform/krbox304b/Attachment 6 Functional Test Logs.zip /krbox/system/platform/krbox304b/Attachment_1_111026M121C-704.pdf /krbox/system/platform/krbox304b/Attachment 4 111026M123B.pdf </CODE></PRE> <P>I normally use the slash “/” as the delimiter in multi value fields to extract the filename. How can I extract the filenames regardless of the spaces? </P> Tue, 04 Jun 2013 18:31:01 GMT https://community.splunk.com/t5/Splunk-Search/Fields-with-and-without-spaces/m-p/55022#M13426 kmattern 2013-06-04T18:31:01Z https://community.splunk.com/t5/Splunk-Search/Fields-with-and-without-spaces/m-p/55023#M13427 <P>Due to the complexity of the field you will have to use regex. You can use a transform, inline rex, or inline regex extract your field.</P> <P>Below I start matching at end of line (end of field in this case) then create a not capture group for zip or pdf extentions then match everything expect for forward slash.</P> <P>Example using rex:<BR /> <CODE></CODE><PRE><CODE><BR /> …| rex field=&lt;your_field&gt; "(?&lt;filename&gt;[^/]+.(?:zip|pdf)$)"| table filename<BR /> </CODE></PRE></P> <P>Additional Reading:</P> <UL> <LI><A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Rex">Rex</A></LI> <LI><A href="http://www.regular-expressions.info/refadv.html">AdvancedRegex</A></LI> </UL> <P>Hope this help or gets you started.</P> <P>Cheers,</P> Tue, 04 Jun 2013 20:41:10 GMT https://community.splunk.com/t5/Splunk-Search/Fields-with-and-without-spaces/m-p/55023#M13427 bmacias84 2013-06-04T20:41:10Z https://community.splunk.com/t5/Splunk-Search/Fields-with-and-without-spaces/m-p/55024#M13428 <P>This extraction works at search time. In this case we capture anything at the end of the string ($) and the slash (/) delimiter.</P> <PRE><CODE>sourcetype="answers-1370378440" | rex field=_raw "/(?&lt; filename&gt;[a-zA-Z0-9\s_\.-]+)$" </CODE></PRE> <P>If the sample data is partial and you have the file name as a whole in a field, called <CODE>filename</CODE>, then you would use it like this:</P> <PRE><CODE>sourcetype="answers-1370378440" | rex field=filename "/(?&lt; filename&gt;[a-zA-Z0-9\s_\.-]+)$" </CODE></PRE> <HR /> <P>And, of course you can automate this with an entry in props.conf:</P> <PRE><CODE>[answers-1370378440] EXTRACT-filename = /(?&lt; filename&gt;[a-zA-Z0-9\s_\.-]+)$ </CODE></PRE> <HR /> <P>PS: There is a space in &lt;filename&gt; due to the markup.</P> Tue, 04 Jun 2013 20:51:55 GMT https://community.splunk.com/t5/Splunk-Search/Fields-with-and-without-spaces/m-p/55024#M13428 Gilberto_Castil 2013-06-04T20:51:55Z