Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Rex pattern to extract unc path from xml
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk2019tlmd
Engager
04-16-2020
04:35 PM
I like to extract the UNC path from a log, below a portion from the file :
;<soa:FileSystem identifier="8ec65285-11ac-45a5-9652-425b7494b0df" name="Windows" description="Windows File System" leftaligncheckboxes="false" instance="102711ce-e483-46bc-bf6c-f42ae6faf234" signature="00000000-0000-0000-0000-000000000000" scheme="file" opencapable="true" consumeopen="true" emitopen="true"><soa:Location>file://fileserver/folder/folder1/folder2/</soa:Location
I like to have this part: //fileserver/folder/folder1/folder2
I have tried different rex combination without luck, any suggestions.
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
memarshall63
Communicator
04-16-2020
06:00 PM
Maybe this will help...
| makeresults
| eval mystring = "<soa:FileSystem identifier=\"8ec65285-11ac-45a5-9652-425b7494b0df\" name=\"Windows\" description=\"Windows File System\" leftaligncheckboxes=\"false\" instance=\"102711ce-e483-46bc-bf6c-f42ae6faf234\" signature=\"00000000-0000-0000-0000-000000000000\" scheme=\"file\" opencapable=\"true\" consumeopen=\"true\" emitopen=\"true\"><soa:Location>file://fileserver/folder/folder1/folder2/</soa:Location>"
| rex field=mystring "<soa:Location>file:(?P<filelocation>[^<]*)<\/soa:Location>"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
memarshall63
Communicator
04-16-2020
06:00 PM
Maybe this will help...
| makeresults
| eval mystring = "<soa:FileSystem identifier=\"8ec65285-11ac-45a5-9652-425b7494b0df\" name=\"Windows\" description=\"Windows File System\" leftaligncheckboxes=\"false\" instance=\"102711ce-e483-46bc-bf6c-f42ae6faf234\" signature=\"00000000-0000-0000-0000-000000000000\" scheme=\"file\" opencapable=\"true\" consumeopen=\"true\" emitopen=\"true\"><soa:Location>file://fileserver/folder/folder1/folder2/</soa:Location>"
| rex field=mystring "<soa:Location>file:(?P<filelocation>[^<]*)<\/soa:Location>"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk2019tlmd
Engager
04-16-2020
06:53 PM
Thank you for answering,
If I add the exact portion it works, but this is part of a bigger log file that I extract other fields, how could I modified the |eval function for the whole search ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
memarshall63
Communicator
04-16-2020
07:12 PM
Sorry.. I don't know what you mean. You could just look for the file: string. So something like:
| rex field=mystring "file:(?P<filelocation>[^<]*)"
this just looks for "file:" and then grabs whatever comes after it.
Get Updates on the Splunk Community!
Transforming Financial Data into Fraud Intelligence
Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...
How to send events & findings from AWS to Splunk using Amazon EventBridge
Amazon EventBridge is a serverless service that uses events to connect application components together, making ...
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
