I have a path (and a variable file_path) that looks like this:
C:\\\\Program Files\\\\theapp\\\\the app\\\\Tools\\\\IR\\\\somefolder\\\\somefile.exe
And I'm trying to retrieve the file name somefile.exe
I created a Field transformation with the following info, but I'm not getting the field file_name to populate
name: file_name
Regular expression: (?P<file_name>[^\\]+)$
Format:
Source Key: file_path
You can try below transform as it takes very less steps:-
\D*\(?\w*.\w*)
Ah, right, when putting it into files, you need to adjust the backslashes; use this instead:
In props.conf:
[YourSourcetypeHere]
REPORT-file_name_FROM_file_path
In transforms.conf:
[file_name_FROM_file_path]
REGEX = ([^\\]+)$
SOURCE_KEY = file_path
FORMAT = file_name::$1
Capitalization is CRITICAL. Also, note that you probably need REPORT-
(for search-time extractions) instead of TRANSFORMS-
(for index-time extractions) because I am pretty sure that the file_path
field is not an index-time field.
Does it make a difference if I'm doing this on the search head using the field transformation option under "Fields"? My Splunk searchhead is in the cloud so I don't have access to the files.
No, it should work exactly the same. These settings will do what you need.
Like this:
| makeresults
| eval file_path=" C:\\\\\\\\Program Files\\\\\\\\theapp\\\\\\\\the app\\\\\\\\Tools\\\\\\\\IR\\\\\\\\somefolder\\\\\\\\somefile.exe"
| rex field=file_path "(?<file_name>[^\\\]+)$"
The thing is my regex works when I test it, but it doesn't work when I create the file transformation. For example, when I type yours in I get:
Encountered the following error while trying to update: Regex: missing terminating ] for character class
Are you putting this into transforms.conf? If so, then you need to remove one of the back-slashes, like this:
REGEX = (?<file_name>[^\\]+)$
Hello @mkarimi17,
I just tested this out using the event source=C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log.
I needed 4 backslashes in the regex to get it working:
source="C:\\Program Files\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log"
| rex field=source "(?<file_name>[^\\\\]+)$"