Solved: regex - everything after last slash

jacqu3sy · ‎12-16-2019

Hi,

How do I write a regex to capture everything after the final \ of a file name and search for within the query?

i.e. \wtf\test\thisbithere.exe

This works on regexe101:

([^\]+$)

But trying to use inline via the following keeps failing;

| rex field=_raw "(?([^\]+$)"

any ideas?

vnravikumar · ‎12-16-2019

Hi

Try this

| makeresults 
| eval temp=" \wtf\test\thisbithere.exe" 
| rex field=temp "(?P<filename>[^\\\]+)$"

or

| makeresults 
| eval temp="\wtf\test\thisbithere.exe" 
|eval filename =mvindex(split(temp,"\\"),-1)

View solution in original post

jpolvino · ‎12-16-2019

This works as well, leveraging positive lookbehind:

rex "(?<=\\)(?<theWord>[\w\.]+)$"

Regex101: https://regex101.com/r/eslxJR/2

vnravikumar · ‎12-16-2019

Hi

Try this

| makeresults 
| eval temp=" \wtf\test\thisbithere.exe" 
| rex field=temp "(?P<filename>[^\\\]+)$"

or

| makeresults 
| eval temp="\wtf\test\thisbithere.exe" 
|eval filename =mvindex(split(temp,"\\"),-1)

vnravikumar · ‎12-16-2019

Try my answer

jacqu3sy · ‎12-16-2019

Both these worked, many thanks, much appreciated.

gcusello · ‎12-16-2019

Hi @jacqu3sy,
try something like this

| rex "\\(?<filename>\w+\.\w+)$"

that you can test at https://regex101.com/r/78fp97/1 .

Ciao.
Giuseppe

jacqu3sy · ‎12-16-2019

hmmm, errors when I run that in Splunk though?

gcusello · ‎12-16-2019

Hi @jacqu3sy,
what's error?

have you used my regex in a search or in a dashboard?
in a search it should run;
if you're using in a dashboard you have to modify the regex because the Splunk editor has some problem:

| rex "\\(?&lt;filename&gt;\w+\.\w+)$"

Ciao.
Giuseppe

jacqu3sy · ‎12-16-2019

| rex "\(?\w+.\w+)$"

Error in 'rex' command: Encountered the following error while compiling the regex '(?\w+.\w+)$': Regex: unmatched closing parenthesis

gcusello · ‎12-16-2019

Hi @jacqu3sy,
you have to use two backslashes in the beginning of the regex, not one!

 | rex "\\(?<filename>\w+\.\w+)$"

P.S.:
When you have to use a regex in a message, please, use the Code Sample button (101010), otherwise it's difficoult to read your messages.

Ciao.
Giuseppe

jacqu3sy · ‎12-16-2019

Yeh, even with the second backslash I get an error when running straight from a search query, related to 'unmatched closing parenthesis'

<mysearch>
| rex "\\(?<filename>\w+\.\w+)$"

gcusello · ‎12-16-2019

these run:

index=_internal | head 100 | rex field=source "(?<filename>\w+\.\w+)$"

or

index=_internal | head 100 | rex field=source "\\\(?<filename>\w+\.\w+)$"

Ciao.
Giuseppe

jacqu3sy · ‎12-16-2019

appreciate the efforts, really do. Unfortunatly I couldnt get these to work, but thanks anyway.

jacqu3sy · ‎12-16-2019

just straight from within a search

regex - everything after last slash

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...