Splunk Search

Can you help me extract a filename from a filepath in a field transformation?

mkarimi17
Path Finder

I have a path (and a variable file_path) that looks like this:

C:\\\\Program Files\\\\theapp\\\\the app\\\\Tools\\\\IR\\\\somefolder\\\\somefile.exe

And I'm trying to retrieve the file name somefile.exe

I created a Field transformation with the following info, but I'm not getting the field file_name to populate

name: file_name

Regular expression: (?P<file_name>[^\\]+)$

Format:

Source Key: file_path

0 Karma

kushagra9120
Explorer

You can try below transform as it takes very less steps:-

\D*\(?\w*.\w*)

0 Karma

woodcock
Esteemed Legend

Ah, right, when putting it into files, you need to adjust the backslashes; use this instead:

In props.conf:

[YourSourcetypeHere]
REPORT-file_name_FROM_file_path

In transforms.conf:

[file_name_FROM_file_path]
REGEX = ([^\\]+)$
SOURCE_KEY = file_path
FORMAT = file_name::$1

Capitalization is CRITICAL. Also, note that you probably need REPORT- (for search-time extractions) instead of TRANSFORMS- (for index-time extractions) because I am pretty sure that the file_path field is not an index-time field.

0 Karma

mkarimi17
Path Finder

Does it make a difference if I'm doing this on the search head using the field transformation option under "Fields"? My Splunk searchhead is in the cloud so I don't have access to the files.

0 Karma

woodcock
Esteemed Legend

No, it should work exactly the same. These settings will do what you need.

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval file_path=" C:\\\\\\\\Program Files\\\\\\\\theapp\\\\\\\\the app\\\\\\\\Tools\\\\\\\\IR\\\\\\\\somefolder\\\\\\\\somefile.exe"
| rex field=file_path "(?<file_name>[^\\\]+)$"
0 Karma

mkarimi17
Path Finder

The thing is my regex works when I test it, but it doesn't work when I create the file transformation. For example, when I type yours in I get:

Encountered the following error while trying to update: Regex: missing terminating ] for character class
0 Karma

woodcock
Esteemed Legend

Are you putting this into transforms.conf? If so, then you need to remove one of the back-slashes, like this:

REGEX = (?<file_name>[^\\]+)$
0 Karma

whrg
Motivator

Hello @mkarimi17,

I just tested this out using the event source=C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log.

I needed 4 backslashes in the regex to get it working:

source="C:\\Program Files\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log"
| rex field=source "(?<file_name>[^\\\\]+)$"
0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...