Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get the length of a file name before the extension

landen99
Motivator
‎03-12-2014 01:13 PM

I searched this one quite a bit because the solution seemed like it would be really easy.

Given the filename field has only a name.extension, I want to count the length of the name, which is 4 in this case.

In Excel, I would just do =len(left(A2,Find(“.“,A2))), I believe. Seems really easy.

Examples:
a.txt 1
bee.bat 3
ce.command 2

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-12-2014 01:41 PM

Take a look at this:

| stats count | eval file="a.txt bee.bat ce.command" | makemv file | mvexpand file | eval count = length(replace(file, "\.[^.]+$", ""))

That creates a field file with your examples, and computes a field count that matches your results - that's the eval at the end, same strategy as your Excel computation.

View solution in original post

Reply
Solved! Jump to solution

landen99
Motivator
‎03-13-2014 05:49 AM

The actual excel code would really be: =LEN(LEFT(A1,FIND(".",A1,1)-1))

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-12-2014 01:41 PM

Take a look at this:

| stats count | eval file="a.txt bee.bat ce.command" | makemv file | mvexpand file | eval count = length(replace(file, "\.[^.]+$", ""))

That creates a field file with your examples, and computes a field count that matches your results - that's the eval at the end, same strategy as your Excel computation.

Reply
Solved! Jump to solution

landen99
Motivator
‎03-13-2014 06:23 AM

Perfect. Thank you very much for your insight and guidance here.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2014 06:07 AM

As for your question "-What is the difference between your regex and ^(.*)\..*$? They seem to do the same thing as well.", yours looks for the first literal dot while mine looks for the last literal dot. An example:

some.other.file(.name) --> my regex will match only the .name, length is 14
some(.other.file.name) --> your regex will match the entire string, and when replaced with $1 the remaining length will be 4
0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2014 06:04 AM

I have edited the comment, the four-spaces-block needs an empty line before it to work properly. Now asterisks and all that are rendered correctly. For posting code blocks inline surround it by backticks (`).

0 Karma
Reply
Solved! Jump to solution

landen99
Motivator
‎03-13-2014 06:00 AM

I added 4 spaces before each regex expression. Is that what you were after?

I wish this site was easier to post to. I have a lot of difficulty with the captcha working and there are no tools for inserting html codes like spoiler, code, image, etc to the post.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2014 05:49 AM

My regex works like this, from right to left:

  • Anchor to the end of the field
  • Match one or more characters that are not a literal dot
  • Match one literal dot

Then that match is removed from the string by the replace, so the length only counts the filename without the extension. Some examples, with parentheses denoting the matched and removed part:

file(.name) --> length is 4
some.other.file(.name) --> length is 14
(.hidden) --> length is 0
0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2014 05:47 AM

I start the search with | stats count to get an empty event to work with, no need for data from any index. The first eval | makemv | mvexpand builds simulation data, the eval at the end is the part you need for your search... it might look something like this:

index=foo sourcetype=bar filename=* | eval filename_length = length(replace(filename, "\.[^.]+$", ""))

Your regexes are hard to read, Splunk Answers treats backslashes, asterisks, and underscores within regular text as special characters. Prepend four spaces to your regexes to avoid that.

0 Karma
Reply
Solved! Jump to solution

landen99
Motivator
‎03-13-2014 05:41 AM

Your answer helped me to build the search below for good results:

| eval file_length=length(replace(filename, "\.[^.]+$", ""))
  • Does your search produce the same results or something different than the search above?
  • Also, why do you invoke stats count and count in eval?

Here are a few of the regex suggestions I have read:

([^\.]*)
/^(.+)(\.[^ .]+)?$/
\.[^.]*$
(.+?)(\.[^.]*$|$)
(.+?)\.[^\.]+$
(.+?)(\.[^\.]+$|$)
^(.*)\..*$

Learning regex atm.
-What is the difference between your regex and ^(.*)\..*$? They seem to do the same thing as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...