Splunk Search

Can you help me extract a filename from a filepath in a field transformation?

Path Finder

I have a path (and a variable file_path) that looks like this:

C:\\\\Program Files\\\\theapp\\\\the app\\\\Tools\\\\IR\\\\somefolder\\\\somefile.exe

And I'm trying to retrieve the file name somefile.exe

I created a Field transformation with the following info, but I'm not getting the field file_name to populate

name: file_name

Regular expression: (?P<file_name>[^\\]+)$


Source Key: file_path

0 Karma


You can try below transform as it takes very less steps:-


0 Karma

Esteemed Legend

Ah, right, when putting it into files, you need to adjust the backslashes; use this instead:

In props.conf:


In transforms.conf:

REGEX = ([^\\]+)$
SOURCE_KEY = file_path
FORMAT = file_name::$1

Capitalization is CRITICAL. Also, note that you probably need REPORT- (for search-time extractions) instead of TRANSFORMS- (for index-time extractions) because I am pretty sure that the file_path field is not an index-time field.

0 Karma

Path Finder

Does it make a difference if I'm doing this on the search head using the field transformation option under "Fields"? My Splunk searchhead is in the cloud so I don't have access to the files.

0 Karma

Esteemed Legend

No, it should work exactly the same. These settings will do what you need.

0 Karma

Esteemed Legend

Like this:

| makeresults 
| eval file_path=" C:\\\\\\\\Program Files\\\\\\\\theapp\\\\\\\\the app\\\\\\\\Tools\\\\\\\\IR\\\\\\\\somefolder\\\\\\\\somefile.exe"
| rex field=file_path "(?<file_name>[^\\\]+)$"
0 Karma

Path Finder

The thing is my regex works when I test it, but it doesn't work when I create the file transformation. For example, when I type yours in I get:

Encountered the following error while trying to update: Regex: missing terminating ] for character class
0 Karma

Esteemed Legend

Are you putting this into transforms.conf? If so, then you need to remove one of the back-slashes, like this:

REGEX = (?<file_name>[^\\]+)$
0 Karma


Hello @mkarimi17,

I just tested this out using the event source=C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log.

I needed 4 backslashes in the regex to get it working:

source="C:\\Program Files\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log"
| rex field=source "(?<file_name>[^\\\\]+)$"
0 Karma