Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Rex pattern to extract unc path from xml
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk2019tlmd
Engager
04-16-2020
04:35 PM
I like to extract the UNC path from a log, below a portion from the file :
;<soa:FileSystem identifier="8ec65285-11ac-45a5-9652-425b7494b0df" name="Windows" description="Windows File System" leftaligncheckboxes="false" instance="102711ce-e483-46bc-bf6c-f42ae6faf234" signature="00000000-0000-0000-0000-000000000000" scheme="file" opencapable="true" consumeopen="true" emitopen="true"><soa:Location>file://fileserver/folder/folder1/folder2/</soa:Location
I like to have this part: //fileserver/folder/folder1/folder2
I have tried different rex combination without luck, any suggestions.
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
memarshall63
Communicator
04-16-2020
06:00 PM
Maybe this will help...
| makeresults
| eval mystring = "<soa:FileSystem identifier=\"8ec65285-11ac-45a5-9652-425b7494b0df\" name=\"Windows\" description=\"Windows File System\" leftaligncheckboxes=\"false\" instance=\"102711ce-e483-46bc-bf6c-f42ae6faf234\" signature=\"00000000-0000-0000-0000-000000000000\" scheme=\"file\" opencapable=\"true\" consumeopen=\"true\" emitopen=\"true\"><soa:Location>file://fileserver/folder/folder1/folder2/</soa:Location>"
| rex field=mystring "<soa:Location>file:(?P<filelocation>[^<]*)<\/soa:Location>"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
memarshall63
Communicator
04-16-2020
06:00 PM
Maybe this will help...
| makeresults
| eval mystring = "<soa:FileSystem identifier=\"8ec65285-11ac-45a5-9652-425b7494b0df\" name=\"Windows\" description=\"Windows File System\" leftaligncheckboxes=\"false\" instance=\"102711ce-e483-46bc-bf6c-f42ae6faf234\" signature=\"00000000-0000-0000-0000-000000000000\" scheme=\"file\" opencapable=\"true\" consumeopen=\"true\" emitopen=\"true\"><soa:Location>file://fileserver/folder/folder1/folder2/</soa:Location>"
| rex field=mystring "<soa:Location>file:(?P<filelocation>[^<]*)<\/soa:Location>"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk2019tlmd
Engager
04-16-2020
06:53 PM
Thank you for answering,
If I add the exact portion it works, but this is part of a bigger log file that I extract other fields, how could I modified the |eval function for the whole search ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
memarshall63
Communicator
04-16-2020
07:12 PM
Sorry.. I don't know what you mean. You could just look for the file: string. So something like:
| rex field=mystring "file:(?P<filelocation>[^<]*)"
this just looks for "file:" and then grabs whatever comes after it.
Get Updates on the Splunk Community!
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Splunk AppDynamics Agents Webinar Series
Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...
SplunkTrust Application Period is Officially OPEN!
It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open!
If you ...
