topic Re: How do I use rex to extract filenames from UNC paths? in Splunk Search

How do I use rex to extract filenames from UNC paths?

mrgibbon — Fri, 10 Jun 2016 05:21:27 GMT

Hi All,

I've looked at quite a few answers to this issue and none seem to work for me.

Data Sample:

\\BLAH01\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH01\Group\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH01\Groups\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\coreos\coreos.vmx
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.vmx
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.nvram
\\BLAH02\BLAH\x\BLAH\VMware\VMware_Horizon6\ACP!5C!s_BLAH.vmdk
\\BLAH02\BLAH\RAMS\$Research\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH02\BLAH\Fil01\e_ev\Group\BLAH\Backups\Copy of BLAH\index.asp.LCK
\\BLAH02\BLAH\Fil01\d_ev\Users\BLAH\old pc files\BLAH\Local Settings\Application Data\Microsoft\Silverlight\mssl.lck

I just need a simple rex to pull out the filenames.
It should be easy, but it's taking me forever.
Can anyone help?

Thanks in advance.

Re: How do I use rex to extract filenames from UNC paths?

javiergn — Fri, 10 Jun 2016 07:01:32 GMT

See if the following helps:

| rex field=yourfieldname "(?<filename>[^\\\]+$)"

Example:

| stats count | fields - count
| eval raw = "
\\BLAH01\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Group\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Groups\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\coreos\coreos.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.nvram;
\\BLAH02\BLAH\x\BLAH\VMware\VMware_Horizon6\ACP!5C!s_BLAH.vmdk;
\\BLAH02\BLAH\RAMS\$Research\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\Fil01\e_ev\Group\BLAH\Backups\Copy of BLAH\index.asp.LCK;
\\BLAH02\BLAH\Fil01\d_ev\Users\BLAH\old pc files\BLAH\Local Settings\Application Data\Microsoft\Silverlight\mssl.lck
"
| makemv delim=";" raw
| mvexpand raw
| rex field=raw "(?<filename>[^\\\]+$)"

Output: see picture

Re: How do I use rex to extract filenames from UNC paths?

mrgibbon — Fri, 10 Jun 2016 09:11:06 GMT

That is 400 different types of awesome!
Thanks so much!
:)

Re: How do I use rex to extract filenames from UNC paths?

mrgibbon — Fri, 10 Jun 2016 09:13:37 GMT

Is there a way of getting the path without the filename on the end? 🙂

Re: How do I use rex to extract filenames from UNC paths?

javiergn — Fri, 10 Jun 2016 11:09:12 GMT

Yes, try this:

| rex field=yourfieldname "(?<path>.+)\\\(?<filename>[^\\\]+$)"

Keep in mind Splunk is replacing the double backslash with single backslash on my example, but the principle is the same anyway.