https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-rex-statement-on-file-extension-or/m-p/479856#M134483 <P>Please share some sample data and desired extractions.</P> Thu, 23 Apr 2020 17:20:41 GMT richgalloway 2020-04-23T17:20:41Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-rex-statement-on-file-extension-or/m-p/479855#M134482 <P>I'm trying to figure out how to do a conditional rex statement that looks at a windows file path and determines if the last segment of the path has a ., it creates a field called extension, but if it doesn't end with an extension, it creates a field called directory and puts the full value (with spaces) of the last directory in the segment. Is there a way to do a conditional statement like this with rex?</P> Thu, 23 Apr 2020 17:04:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-rex-statement-on-file-extension-or/m-p/479855#M134482 mjones414 2020-04-23T17:04:58Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-rex-statement-on-file-extension-or/m-p/479856#M134483 <P>Please share some sample data and desired extractions.</P> Thu, 23 Apr 2020 17:20:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-rex-statement-on-file-extension-or/m-p/479856#M134483 richgalloway 2020-04-23T17:20:41Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-rex-statement-on-file-extension-or/m-p/479857#M134484 <P>Surely <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>FieldName=Object</P> <P>Value Examples:<BR /> c:\test directory with spaces\test_directory_with_underscores\filename (with: horrible habits).txt<BR /> c:\test directory with spaces\test_directory_with_underscores\little-child-directory</P> <P>Simple rex to get file extension:</P> <PRE><CODE>| rex field="object" "\.(?&lt;extension&gt;[^\.]*$)" </CODE></PRE> <P>extension:<BR /> txt</P> <P>(if extension is null, delimit by the last backslash .*$ and create a field called Directory with the value)</P> <P>Directory:<BR /> (want this to be little-child-directory)</P> Wed, 30 Sep 2020 05:05:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-rex-statement-on-file-extension-or/m-p/479857#M134484 mjones414 2020-09-30T05:05:19Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-rex-statement-on-file-extension-or/m-p/479858#M134485 <P>Given your question and the data that you have provided, I think that this "run anywhere" search shows a <CODE>rex</CODE> that will work as you have requested:</P> <PRE><CODE>| makeresults | eval data="c:\test directory with spaces\test_directory_with_underscores\filename (with: horrible habits).txt|c:\test directory with spaces\test_directory_with_underscores\little-child-directory" | makemv delim="|" data | mvexpand data | rex field=data "(\.(?&lt;ext&gt;[^.]+)|\\\(?&lt;dir&gt;[^.\\\]+))$" </CODE></PRE> <P>This rex requires some additional backslashes to make it interpret the backslashes that might appear on the file path, but it clearly shows that you can get one or the other of the fields that you want to extract from the data. The first three lines are just setting up the data, and the last one (with the <CODE>rex</CODE> command) is the one with all the magic.</P> Thu, 23 Apr 2020 19:08:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-rex-statement-on-file-extension-or/m-p/479858#M134485 cpetterborg 2020-04-23T19:08:46Z