topic Re: Regex to find a directory in a path in Splunk Search

Regex to find a directory in a path

rileyken — Wed, 30 Sep 2020 01:28:39 GMT

I have these paths as sources for an index (the paths are linux file system paths)

/usr/local/myfiles1/myfacilityA/Debug/ADT/ADT_2019-07-30.txt
/usr/local/myfiles2/myfacilityB/Debug/ADT/ADT_2019-07-30.txt
/usr/local/myfiles1/myfacilityC/Debug/ADT/ADT_2019-07-30.txt

i would like to be able to extract "myfacility" as a field so I can search for all of the events with that source path.

It would be fantastic to just capture everything between the /usr/local/myfiles? and the /Debug/ADT/ADT....

Re: Regex to find a directory in a path

jaime_ramirez — Tue, 30 Jul 2019 17:49:22 GMT

For myfacility field:

...
| rex field=source "\/usr\/local\/myfiles\d+\/myfacility(?<myfacility>.*?)\/Debug\/ADT\/"

And for everything between the /usr/local/myfiles? and the /Debug/ADT/ADT:

...
| rex field=source "\/usr\/local\/myfiles(?<myfacilityPath>.*?)\/Debug\/ADT\/"

Hope it helps

Re: Regex to find a directory in a path

rileyken — Wed, 31 Jul 2019 12:11:56 GMT

This was just what I was looking for! Thanks Jamie

Re: Regex to find a directory in a path

bwlm — Thu, 03 Dec 2020 06:32:58 GMT

If you would like to avoid cumbersome regex rules and are just looking for the fourth directory (or 0-4 directory path) you may want to consider the Splunk Multivalue eval functions "mvindex", "split", and "mvjoin" to do the work for you... note that the "nomv" commands are optional in most cases.