Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Rex pattern to extract unc path from xml
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk2019tlmd
Engager
04-16-2020
04:35 PM
I like to extract the UNC path from a log, below a portion from the file :
;<soa:FileSystem identifier="8ec65285-11ac-45a5-9652-425b7494b0df" name="Windows" description="Windows File System" leftaligncheckboxes="false" instance="102711ce-e483-46bc-bf6c-f42ae6faf234" signature="00000000-0000-0000-0000-000000000000" scheme="file" opencapable="true" consumeopen="true" emitopen="true"><soa:Location>file://fileserver/folder/folder1/folder2/</soa:Location
I like to have this part: //fileserver/folder/folder1/folder2
I have tried different rex combination without luck, any suggestions.
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
memarshall63
Communicator
04-16-2020
06:00 PM
Maybe this will help...
| makeresults
| eval mystring = "<soa:FileSystem identifier=\"8ec65285-11ac-45a5-9652-425b7494b0df\" name=\"Windows\" description=\"Windows File System\" leftaligncheckboxes=\"false\" instance=\"102711ce-e483-46bc-bf6c-f42ae6faf234\" signature=\"00000000-0000-0000-0000-000000000000\" scheme=\"file\" opencapable=\"true\" consumeopen=\"true\" emitopen=\"true\"><soa:Location>file://fileserver/folder/folder1/folder2/</soa:Location>"
| rex field=mystring "<soa:Location>file:(?P<filelocation>[^<]*)<\/soa:Location>"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
memarshall63
Communicator
04-16-2020
06:00 PM
Maybe this will help...
| makeresults
| eval mystring = "<soa:FileSystem identifier=\"8ec65285-11ac-45a5-9652-425b7494b0df\" name=\"Windows\" description=\"Windows File System\" leftaligncheckboxes=\"false\" instance=\"102711ce-e483-46bc-bf6c-f42ae6faf234\" signature=\"00000000-0000-0000-0000-000000000000\" scheme=\"file\" opencapable=\"true\" consumeopen=\"true\" emitopen=\"true\"><soa:Location>file://fileserver/folder/folder1/folder2/</soa:Location>"
| rex field=mystring "<soa:Location>file:(?P<filelocation>[^<]*)<\/soa:Location>"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk2019tlmd
Engager
04-16-2020
06:53 PM
Thank you for answering,
If I add the exact portion it works, but this is part of a bigger log file that I extract other fields, how could I modified the |eval function for the whole search ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
memarshall63
Communicator
04-16-2020
07:12 PM
Sorry.. I don't know what you mean. You could just look for the file: string. So something like:
| rex field=mystring "file:(?P<filelocation>[^<]*)"
this just looks for "file:" and then grabs whatever comes after it.
Get Updates on the Splunk Community!
AppDynamics Summer Webinars
This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
SOCin’ it to you at Splunk University
Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
