Hi,
Im trying to extract basename that's is abc.log
from the below
D:\Program Files\User\abc.log
using | eval source= replace(source, ".*/", "")
or
| eval source= replace(source, ".*\.", "")
but this is printing the full path. can you please suggest a solution
Try any of these (first line is to generate the dummy rows, replace it with your search)
| gentimes start=-1 | eval source="D:\Program Files\User\abc.log" | table source
| rex field=source "\\\(?<filename>\w+\.\w+)$"
| eval filename2=replace(source,"([^\\\]+\\\)","")
A very late reply. But this works very well to get the base path:
| makeresults
| eval path="/opt/splunk/etc/system/local/inputs.conf"
| eval base_path=replace(path,"\/[^\/]+\.[^\/]+$","")
| table path base_path
For just getting the basename / filename from a file path (e.g. executable file from Windows Security 4688 - new process event) I would just use the Splunk built-in Multivalue eval functions "split" and "mvindex" commands. If regex can be avoided for simplicity, I would suggest that - unless it is the best tool for the job.
| eval ExeName=mvindex(split(New_Process_Name,"\\"),-1)
Try any of these (first line is to generate the dummy rows, replace it with your search)
| gentimes start=-1 | eval source="D:\Program Files\User\abc.log" | table source
| rex field=source "\\\(?<filename>\w+\.\w+)$"
| eval filename2=replace(source,"([^\\\]+\\\)","")
Yes, File name always appears after ":D\Program Files\User\" and what I want is only the strings before "_00459E5E.log" from the file name.
i.e., "EXTRACT_VP_IN_SVN_TEST_USER"
Hi, belowone worked fine.
| eval filename2=replace(source,"([^\\\]+\\\)","")
However my log file is like
D:\Program Files\User\"EXTRACT_VP_IN_SVN_TEST_USER_00459E5E.log
It prints "EXTRACT_VP_IN_SVN_TEST_USER_00459E5E.log". I need only EXTRACT_VP_IN_SVN_TEST_USER in a field. any ideas are much appreciated
Is there any pattern for your file names that can be used to drop thosse extra characters??
yes, log file always appears after "D:\Program Files\User"
and File name always comes after "EXTRACT_VP_IN"
and before
"_00459E5E.log"
What I need is only "SVN_TEST_USER"
You should try Field Extractionsin Splunk : http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX
For the example, you could try something like this:
| rex field=source "(?<=\\\)(?[^\\\]+(?=.log).log)"
@somesoni2 provides a much better regex (unsurprisingly) and also that would work for any file extension. I will now go ahead and drown in my sorrow.