Splunk Enterprise

How to extract only the part of filename using regex expression?

Ashwini008
Builder

Hi

I have following file indexed

  1. rw-r--r-- 1 dmu interface 7206 Jan 27 01:46 a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg
  2. rw-r--r-- 1 dum  interface 366Jan 27 02:45 c+d.zpettime.abcdpd1fo.600.2.20210127020002.gpg.

I need to capture only the following part from the filename

  1.  zpettime.abcdpd1fo.600
  2. zgeypynd.pcsdatei.600

I am using this regex which is helping to capture only the filename from source i.e.a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg

| rex field=source ".*\/(?<filename>.*)$"

I want to extract after the first dot(.) till 600 number of the filename i.e. zgeypynd.pcsdatei.600 . Please help me with rex expression

0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Ashwini008,

It was mentioned indexing before, that is why I put conf files. You can use below rex command;

|rex field=source "\w\+\w\.(?<filename>\w+\.\w+.\d+)\."
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

jotne
Builder

Here is an other regex.  It uses the time as reference, then skip all until first dot.

 

\d+:\d+ [^.]+\.(?<file>.*?\d+)\.

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @Ashwini008,

It was mentioned indexing before, that is why I put conf files. You can use below rex command;

|rex field=source "\w\+\w\.(?<filename>\w+\.\w+.\d+)\."
If this reply helps you an upvote and "Accept as Solution" is appreciated.

Ashwini008
Builder

@scelikok Thank you . It worked as expected.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @Ashwini008,

You can use below sample props.conf and transforms.conf in your indexers; you may need to play with regex to capture the correct part of filename.

props.conf
[source::///dmd/archivy/*.gpg]
TRANSFORMS-replace_source = replacesourcefilename

transforms.conf
[replacesourcefilename]
SOURCE_KEY = MetaData:Source
REGEX = \w\+\w\.(\w+\.\w+.\d+)\.
DEST_KEY = MetaData:Source
FORMAT= source::$1.gpg

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

Ashwini008
Builder

@scelikok Thank you but i am seeking help on regex expression .

@martin_mueller @cpetterborg @somesoni2 @richgalloway could you please suggest?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

The following run-anywhere search string uses a rex command which will produce the results you want from the two examples provided:

 

 

| makeresults 
| eval source="a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg"
| rex field=source "^[^\.]*\.(?<filename>.*\.600)"

The first part  ^[^.]*\.  is used to get rid of anything before the first .

The rest just captures the file name unto and including the 600.

This is also assuming that the filename is in the source , since what you seems to indicate that, but you can substitute whatever field works.

0 Karma
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...