Splunk Enterprise

How to extract only the part of filename using regex expression?

Ashwini008
Builder

Hi

I have following file indexed

  1. rw-r--r-- 1 dmu interface 7206 Jan 27 01:46 a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg
  2. rw-r--r-- 1 dum  interface 366Jan 27 02:45 c+d.zpettime.abcdpd1fo.600.2.20210127020002.gpg.

I need to capture only the following part from the filename

  1.  zpettime.abcdpd1fo.600
  2. zgeypynd.pcsdatei.600

I am using this regex which is helping to capture only the filename from source i.e.a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg

| rex field=source ".*\/(?<filename>.*)$"

I want to extract after the first dot(.) till 600 number of the filename i.e. zgeypynd.pcsdatei.600 . Please help me with rex expression

0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Ashwini008,

It was mentioned indexing before, that is why I put conf files. You can use below rex command;

|rex field=source "\w\+\w\.(?<filename>\w+\.\w+.\d+)\."
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

jotne
Builder

Here is an other regex.  It uses the time as reference, then skip all until first dot.

 

\d+:\d+ [^.]+\.(?<file>.*?\d+)\.

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @Ashwini008,

It was mentioned indexing before, that is why I put conf files. You can use below rex command;

|rex field=source "\w\+\w\.(?<filename>\w+\.\w+.\d+)\."
If this reply helps you an upvote and "Accept as Solution" is appreciated.

Ashwini008
Builder

@scelikok Thank you . It worked as expected.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @Ashwini008,

You can use below sample props.conf and transforms.conf in your indexers; you may need to play with regex to capture the correct part of filename.

props.conf
[source::///dmd/archivy/*.gpg]
TRANSFORMS-replace_source = replacesourcefilename

transforms.conf
[replacesourcefilename]
SOURCE_KEY = MetaData:Source
REGEX = \w\+\w\.(\w+\.\w+.\d+)\.
DEST_KEY = MetaData:Source
FORMAT= source::$1.gpg

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

Ashwini008
Builder

@scelikok Thank you but i am seeking help on regex expression .

@martin_mueller @cpetterborg @somesoni2 @richgalloway could you please suggest?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

The following run-anywhere search string uses a rex command which will produce the results you want from the two examples provided:

 

 

| makeresults 
| eval source="a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg"
| rex field=source "^[^\.]*\.(?<filename>.*\.600)"

The first part  ^[^.]*\.  is used to get rid of anything before the first .

The rest just captures the file name unto and including the 600.

This is also assuming that the filename is in the source , since what you seems to indicate that, but you can substitute whatever field works.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...