topic Re: How to extract file tyes from .txt file in Splunk Search

How to extract file tyes from .txt file

sunnyparmar — Thu, 24 Sep 2015 11:48:57 GMT

Hi,

I have a one text file which have some entries with the file types .pdf, .tif so now i want to make one hourly dashboard to keep an eye on those file types that how many files are coming hourly on the server? My query is something like below but didn't get result with this

index="abc" source="file path"  | rex "\.(<_file_type>\w+)\.\."  | eval file_type=upper(_file_type) | timechart span=1h count by file_type

Thanks

Re: How to extract file tyes from .txt file

sover — Thu, 24 Sep 2015 21:43:32 GMT

Hi @sunnyparmar, can you add a snippet of the log file you indexing? Thanks

Re: How to extract file tyes from .txt file

gcato — Thu, 24 Sep 2015 22:29:33 GMT

Also remember that a "." in a regex expression means any character. You have to escape the . character with a backslash if you want to match a literal . character.

http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/AboutSplunkregularexpressions

Re: How to extract file tyes from .txt file

woodcock — Thu, 24 Sep 2015 22:38:07 GMT

The rex part had some mistakes; try this:

index="abc" source="file path" | rex "\.(?<file_type>\w+)" | eval file_type=upper(file_type) | timechart span=1h count by file_type

Re: How to extract file tyes from .txt file

sunnyparmar — Tue, 29 Sep 2020 07:23:20 GMT

Hi,

It is like given below .. I have added one example of .pdf and another for .tif

TIMESTAMP - [2015-09-21 10:14:12.576] THREAD ID - [48] CONTENT - File Archived C:\BSCS\wienerberger_de\BSCSEmail\20150921_101351_WIENERBERG_EMAIL_1442819631609.PDF
TIMESTAMP - [2015-09-21 10:08:30.553] THREAD ID - [42] CONTENT - File Archived C:\BSCS\XeroxFinland_fi\destia_fi\pl801e_destiamaansiirto_000\upload\20150921_093331_DESTI0801FI_20150921000003_000028.tif

Thanks

Re: How to extract file tyes from .txt file

sunnyparmar — Fri, 25 Sep 2015 06:40:30 GMT

Hi,

thanks for replying but if i am running your command so its giving me the result with 2 columns that is

1.) timeframe 2.) NULL in which it is showing the counts in thousands that is too much. What I would like to say here that counts are wrong because in my log files hardly .pdf and .tif counts are in hundreds and moreover when I am clicking on view events then again it is showing "no result founds".

Regards

Re: How to extract file tyes from .txt file

sunnyparmar — Tue, 29 Sep 2020 07:23:23 GMT

this is an example of my log file...

TIMESTAMP - [2015-09-21 10:14:12.576] THREAD ID - [48] CONTENT - File Archived C:BSCSwienerberger_deBSCSEmail20150921_101351_WIENERBERG_EMAIL_1442819631609.PDF
TIMESTAMP - [2015-09-21 10:08:30.553] THREAD ID - [42] CONTENT - File Archived C:BSCSXeroxFinland_fidestia_fipl801e_destiamaansiirto_000upload20150921_093331_DESTI0801FI_20150921000003_000028.tif

Re: How to extract file tyes from .txt file

gcato — Sat, 26 Sep 2015 07:05:37 GMT

Thanks for the examples. The current rex command will also match the microseconds (\w matches numbers too) on the timestamp which probably explains the count mismatch. If the filetype . suffix is always at the end of each event line then this regex will be far more accurate.

... | rex "\.(?<file_type>[a-zA-Z]+)$" | eval file_type=upper(file_type)

The [a-zA-Z]+ will now only match letters and the $ is a special character denoting line end. This should help prevent false matches.

Re: How to extract file tyes from .txt file

sunnyparmar — Sun, 27 Sep 2015 04:49:23 GMT

Hi Buddy,

thanks a ton .. its started working..

Regards