Splunk Enterprise

How to extract only the part of filename using regex expression?

Ashwini008
Communicator

Hi

I have following file indexed

  1. rw-r--r-- 1 dmu interface 7206 Jan 27 01:46 a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg
  2. rw-r--r-- 1 dum  interface 366Jan 27 02:45 c+d.zpettime.abcdpd1fo.600.2.20210127020002.gpg.

I need to capture only the following part from the filename

  1.  zpettime.abcdpd1fo.600
  2. zgeypynd.pcsdatei.600

I am using this regex which is helping to capture only the filename from source i.e.a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg

| rex field=source ".*\/(?<filename>.*)$"

I want to extract after the first dot(.) till 600 number of the filename i.e. zgeypynd.pcsdatei.600 . Please help me with rex expression

0 Karma
1 Solution

scelikok
Influencer

Hi @Ashwini008,

It was mentioned indexing before, that is why I put conf files. You can use below rex command;

|rex field=source "\w\+\w\.(?<filename>\w+\.\w+.\d+)\."
If this reply helps you an upvote is appreciated.

View solution in original post

jotne
Path Finder

Here is an other regex.  It uses the time as reference, then skip all until first dot.

 

\d+:\d+ [^.]+\.(?<file>.*?\d+)\.

 

0 Karma

scelikok
Influencer

Hi @Ashwini008,

It was mentioned indexing before, that is why I put conf files. You can use below rex command;

|rex field=source "\w\+\w\.(?<filename>\w+\.\w+.\d+)\."
If this reply helps you an upvote is appreciated.

View solution in original post

Ashwini008
Communicator

@scelikok Thank you . It worked as expected.

0 Karma

scelikok
Influencer

Hi @Ashwini008,

You can use below sample props.conf and transforms.conf in your indexers; you may need to play with regex to capture the correct part of filename.

props.conf
[source::///dmd/archivy/*.gpg]
TRANSFORMS-replace_source = replacesourcefilename

transforms.conf
[replacesourcefilename]
SOURCE_KEY = MetaData:Source
REGEX = \w\+\w\.(\w+\.\w+.\d+)\.
DEST_KEY = MetaData:Source
FORMAT= source::$1.gpg

 

If this reply helps you an upvote is appreciated.
0 Karma

Ashwini008
Communicator

@scelikok Thank you but i am seeking help on regex expression .

@martin_mueller @cpetterborg @somesoni2 @richgalloway could you please suggest?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

The following run-anywhere search string uses a rex command which will produce the results you want from the two examples provided:

 

 

| makeresults 
| eval source="a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg"
| rex field=source "^[^\.]*\.(?<filename>.*\.600)"

The first part  ^[^.]*\.  is used to get rid of anything before the first .

The rest just captures the file name unto and including the 600.

This is also assuming that the filename is in the source , since what you seems to indicate that, but you can substitute whatever field works.

0 Karma