Solved: How to rex a uri path in order to get a filename w...

alexburst37 · ‎03-27-2017

Right now Im using

rex field=cs_uri_path "^.*\/(?[^.\/]+.(?:[^.\/]){3,4})$"

but im missing files like blah.1.0.8file.exe
and double extensions like .pdf.exe

I cant seem to adjust to pick out these exceptions

skoelpin · ‎03-27-2017

Try this

... | rex (?<cs_uri_path>\S+)(?<=\.exe)

View solution in original post

skoelpin · ‎03-27-2017

Try this

... | rex (?<cs_uri_path>\S+)(?<=\.exe)

woodcock · ‎03-27-2017

Try this:

... | rex field=cs_uri_path "(?ms)(?<filename>[^\\\/\r\n\s]+)[\r\n$]"

Also try this app:

https://splunkbase.splunk.com/app/2734/

alexburst37 · ‎03-27-2017

That one wont work.
This is what I am using and it works fine i just need to have it be able to pick up files that may have "." in there names like blah1.0.8update.exe

"^.*\/(?[^.\/]+.(?:[^.\/]){3,4})$"

woodcock · ‎03-27-2017

Why won't it work? Your seems tediously overcomplicated. Give me the exception where the simpler one fails.

How to rex a uri path in order to get a filename with certian extensions lik .pdf .exe .zip

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!