Archive

How to rex a uri path in order to get a filename with certian extensions lik .pdf .exe .zip

Explorer

Right now Im using

rex field=csuripath "^.*\/(?[^.\/]+.(?:[^.\/]){3,4})$"

but im missing files like blah.1.0.8file.exe
and double extensions like .pdf.exe

I cant seem to adjust to pick out these exceptions

1 Solution

SplunkTrust
SplunkTrust

Try this

... | rex (?<cs_uri_path>\S+)(?<=\.exe)

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try this

... | rex (?<cs_uri_path>\S+)(?<=\.exe)

View solution in original post

0 Karma

Esteemed Legend

Try this:

... | rex field=cs_uri_path "(?ms)(?<filename>[^\\\/\r\n\s]+)[\r\n$]"

Also try this app:

https://splunkbase.splunk.com/app/2734/

0 Karma

Explorer

That one wont work.
This is what I am using and it works fine i just need to have it be able to pick up files that may have "." in there names like blah1.0.8update.exe

"^.*\/(?[^.\/]+.(?:[^.\/]){3,4})$"

0 Karma

Esteemed Legend

Why won't it work? Your seems tediously overcomplicated. Give me the exception where the simpler one fails.

0 Karma