topic Re: How do I split a string which contains a path so I'm only getting the first two directories? in Splunk Search

How do I split a string which contains a path so I'm only getting the first two directories?

DamageSplunk — Sat, 20 Jun 2015 11:10:15 GMT

I have several thousand events with a path such as d:\RNREDINFFTP01-AVREDINFWFS01\ebtest1\foo\bar\filename2.txt. The folder name is not static - I'm using a fschange monitor to pull the events so the root directory RNREDINFFTP01-AVREDINFWFS01 and the tertiary directories are not static.

I want to show the size of the files based on the first or second directory, depending on the users need for detail. For instance.

d:\RNREDINFFTP01-AVREDINFWFS01   100 files 100mb

d:\RNREDINFFTP01-AVREDINFWFS01\ebtest1 50 files 50mb
d:\RNREDINFFTP01-AVREDINFWFS01\ebtest2 40 files 40mb
d:\RNREDINFFTP01-AVREDINFWFS01\ebtest3 10 files 10mb

I doubt I'll ever go past the 2nd directory. I've tried using rex and can't seem to get the groups right. If I was using vbscript or powershell I'd simply call split based on \ and then group by the first or the first+second directories. What am I missing?? ...and... what is the best way to tackle this?

Re: How do I split a string which contains a path so I'm only getting the first two directories?

woodcock — Sat, 20 Jun 2015 11:45:19 GMT

Try this:

... rex field=source "(?<PathPrefix>(?:[^\\\]+\\\){2})"

Re: How do I split a string which contains a path so I'm only getting the first two directories?

martin_mueller — Sun, 21 Jun 2015 08:48:48 GMT

That regex doesn't compile.

If you meant to use a non-capturing group it should be (?:, not (?;.

Re: How do I split a string which contains a path so I'm only getting the first two directories?

woodcock — Mon, 22 Jun 2015 16:13:39 GMT

Yes, thank you for catching the typo (stupid dumb-phone keyboard). It is fixed now.

Re: How do I split a string which contains a path so I'm only getting the first two directories?

DamageSplunk — Mon, 22 Jun 2015 19:16:36 GMT

Thanks but I'm getting a different error now, Error in 'rex' command: Encountered the following error while compiling the regex '(?(?:[^]+){2})': Regex: missing terminating ] for character class .

I don't see any issues, there's matching Parens and Braces. Any ideas?

Thanks - Eric

Re: How do I split a string which contains a path so I'm only getting the first two directories?

woodcock — Mon, 22 Jun 2015 19:32:01 GMT

OK, it turns out you need an additional escape character like this (fixed in original answer, too):

... rex field=source "(?<PathPrefix>(?:[^\\\]+\\\){2})"

Re: How do I split a string which contains a path so I'm only getting the first two directories?

DamageSplunk — Mon, 22 Jun 2015 19:36:29 GMT

That did it! Thank you.

Re: How do I split a string which contains a path so I'm only getting the first two directories?

fdinkler — Wed, 16 Mar 2022 15:11:39 GMT

I'm trying to adapt this for a UNIX path, and I can't tell why it's not working.

I have is

rex field=uri "(?<PathPrefix>(?:[^/]+/){2})"