Regex help in Field extraction

lakromani · ‎06-24-2014

Hi I have an FTP server that gives data in following format:

[3] Wed 23Jun14 05:00:32 - (004890) Sent file d:\ftp\info\status\security update32.rar successfully (80.0 kB/sec - 45463 Bytes)
[3] Wed 24Jun14 05:00:32 - (004896) Sent file d:\ftp\log\webserver 1 updates.rar successfully (80.0 kB/sec - 543575 Bytes)

I do like the filename logged so I use the following Field extraction

Sent file (?<FTP_File_Sent>.*) successfully

For my example this gives the following:

d:\ftp\info\status\security update32.rar
d:\ftp\log\webserver 1 updates.rar

I would like to change the regex, so that it skips also the directory and only gives:

security update32.rar
webserver 1 updates.rar

PS File name do contain spaces, and directory depth do varies.

Thanks in advance

MuS · ‎06-25-2014

Hi lakromani,

try something like this as regex, this was tested and working on regexr

\\(.+\\)*(?<FTP_File_Sent>[\w\d\s]+\.\w+)\s

This will match from your provided examples the following strings:

d:\ftp\info\status\security update32.rar
d:\ftp\log\webserver 1 updates.rar

hope this helps ...

cheers, MuS

lakromani · ‎06-25-2014

Hi, Thanks for the answer, I solved it by using this: Sent file .*\\(?<FTP_File_Sent>.*) successfully

Regex help in Field extraction

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

Regex help in Field extraction

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console