Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract parent folder and sub folder path from windows and nix format

ramuzzini
Path Finder
‎09-26-2024 09:30 AM

Need some assistance with creating a query where I am trying to capture the parent folder and the 1st child folder respectively from a print output log that has both windows and linux folder paths.  Sample data and folder paths I am trying to get in a capture group is in bold.

_time,     username,      computer,      printer,      source_dir,      status

2024-09-24 15:32 ,   auser, cmp_auser,  print01_main1,   \\cpn-fs.local\data\program\...,          Printed
2024-09-24 13:57 ,   buser, cmp_buser,  print01_offic1,   c:\program files\documents\...,            Printed
2024-09-24 12:13 ,   cuser, cmp_cuser,  print01_offic2,   \\cpn-fs.local\data\transfer\...,            In queue
2024-09-24 09:26,    buser, cmp_buser,  print01_offic1,   F:\transfers\program\...,                           Printed
2024-09-24 09:26,    buser, cmp_buser,  print01_front1,   \\cpn-fs.local\transfer\program\...,  Printed
2024-09-24 07:19,    auser, cmp_auser,   print01_main1,   \\cpn-fs.local\data\program\....,         In queue

I am currently using a Splunk query where I call these folders in my initial search, but I want to control this using a rex command so I can add an eval command to see if they were printed locally or from a server folder.  Current query is:

index=printLog  source_dir IN ("\\\\cpn-fs.local\data\*", "\\\\cpn-fs.local\transfer\*",  "c:\\program files\\*", " F:\\transfer\\*" )  status== "Printed"
| table status, _time, username, computer, printer, source_dir

I tried using the following rex but didn't get any return:
     | rex field=source_dir "(?i)<FolderPath>(?i[A-Z][a-z]\:|\\\\{1})[^\\\\]+)\\\\[^\\\\]+\\\\)"

In my second effort, through Splunk I generated these two regex using the field extractor respectively.  I know I need to pipe them to add the "OR" operator when comparing the windows and Linux paths but I get an error when trying to combine them.

Regex generated from windows:  c:\program files 
^[^ \n]* \w+,,,(?P<FolderPath>\w+:\\\w+)

Regex generated from linux: \\cpn-fs.local\data
^[^ \n]* \w+,,,(?P<FolderPath>\\\\\w+\-\w+\d+\.\w+\.\w+\\\w+)

To start, I am looking for an output which should look like what is seen below to replace the "source_dir" with the rex "FolderPath"  created

_time,     username,      computer,      printer,      FolderPath,      file,    status

2024-09-24 15:32 ,   auser, cmp_auser,  print01_main1,   \\cpn-fs.local\data\,    Printed
2024-09-24 13:57 ,   buser, cmp_buser,  print01_offic1,   c:\program files\,            Printed


Thanks for any help given.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-26-2024 12:41 PM 
| makeresults format=csv data="_time,     username,      computer,      printer,      source_dir,      status
2024-09-24 15:32 ,   auser, cmp_auser,  print01_main1,   \\\\cpn-fs.local\data\program\...,          Printed
2024-09-24 13:57 ,   buser, cmp_buser,  print01_offic1,   c:\program files\documents\...,            Printed
2024-09-24 12:13 ,   cuser, cmp_cuser,  print01_offic2,   \\\\cpn-fs.local\data\transfer\...,            In queue
2024-09-24 09:26,    buser, cmp_buser,  print01_offic1,   F:\transfers\program\...,                           Printed
2024-09-24 09:26,    buser, cmp_buser,  print01_front1,   \\\\cpn-fs.local\transfer\program\...,  Printed
2024-09-24 07:19,    auser, cmp_auser,   print01_main1,   \\\\cpn-fs.local\data\program\....,         In queue"
| rex field=source_dir "(?P<FolderPath>(\\\\\\\\[^\\\\]+|\w:)\\\\[^\\\\]+\\\\)"

View solution in original post

Reply
Solved! Jump to solution

ramuzzini
Path Finder
‎09-26-2024 10:27 AM

Appreciate the help.  This is working in part.  For the server path, I am getting the proper output. 

However, for the drive path, I am getting a result as c:\program files\documents\ or F:\transfers\program\ and not c:\program files\  or F:\transfers\.   Trying to make the output see that the drive letter is the root folder.  I should have worded it as the root location.  Also, I have done some review of rex/regex videos online and still learning and trying to decipher each part of the regular expression and how they are broken up to capture each part of the file path.  Can you explain this a bit or point me to any additional tutorial that can help me understand this more.  Much appreciated.  

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-26-2024 12:41 PM 
| makeresults format=csv data="_time,     username,      computer,      printer,      source_dir,      status
2024-09-24 15:32 ,   auser, cmp_auser,  print01_main1,   \\\\cpn-fs.local\data\program\...,          Printed
2024-09-24 13:57 ,   buser, cmp_buser,  print01_offic1,   c:\program files\documents\...,            Printed
2024-09-24 12:13 ,   cuser, cmp_cuser,  print01_offic2,   \\\\cpn-fs.local\data\transfer\...,            In queue
2024-09-24 09:26,    buser, cmp_buser,  print01_offic1,   F:\transfers\program\...,                           Printed
2024-09-24 09:26,    buser, cmp_buser,  print01_front1,   \\\\cpn-fs.local\transfer\program\...,  Printed
2024-09-24 07:19,    auser, cmp_auser,   print01_main1,   \\\\cpn-fs.local\data\program\....,         In queue"
| rex field=source_dir "(?P<FolderPath>(\\\\\\\\[^\\\\]+|\w:)\\\\[^\\\\]+\\\\)"
Reply
Solved! Jump to solution

ramuzzini
Path Finder
‎10-09-2024 11:34 AM

Thanks for the help.  Much appreciated.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-26-2024 10:01 AM

Try something like this

| makeresults format=csv data="_time,     username,      computer,      printer,      source_dir,      status
2024-09-24 15:32 ,   auser, cmp_auser,  print01_main1,   \\\\cpn-fs.local\data\program\...,          Printed
2024-09-24 13:57 ,   buser, cmp_buser,  print01_offic1,   c:\program files\documents\...,            Printed
2024-09-24 12:13 ,   cuser, cmp_cuser,  print01_offic2,   \\\\cpn-fs.local\data\transfer\...,            In queue
2024-09-24 09:26,    buser, cmp_buser,  print01_offic1,   F:\transfers\program\...,                           Printed
2024-09-24 09:26,    buser, cmp_buser,  print01_front1,   \\\\cpn-fs.local\transfer\program\...,  Printed
2024-09-24 07:19,    auser, cmp_auser,   print01_main1,   \\\\cpn-fs.local\data\program\....,         In queue"
| rex field=source_dir "(?P<FolderPath>(\\\\\\\\|\w:\\\\)[^\\\\]+\\\\\w+)"

btw, they are not really Linux paths as linux uses forward slashes "/"

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...