Splunk Search

Can you help me extract a filename from a filepath in a field transformation?

Path Finder

I have a path (and a variable file_path) that looks like this:

C:\\\\Program Files\\\\theapp\\\\the app\\\\Tools\\\\IR\\\\somefolder\\\\somefile.exe

And I'm trying to retrieve the file name somefile.exe

I created a Field transformation with the following info, but I'm not getting the field file_name to populate

name: file_name

Regular expression: (?P<file_name>[^\\]+)$

Format:

Source Key: file_path

0 Karma

Explorer

You can try below transform as it takes very less steps:-

\D*\(?\w*.\w*)

0 Karma

Esteemed Legend

Ah, right, when putting it into files, you need to adjust the backslashes; use this instead:

In props.conf:

[YourSourcetypeHere]
REPORT-file_name_FROM_file_path

In transforms.conf:

[file_name_FROM_file_path]
REGEX = ([^\\]+)$
SOURCE_KEY = file_path
FORMAT = file_name::$1

Capitalization is CRITICAL. Also, note that you probably need REPORT- (for search-time extractions) instead of TRANSFORMS- (for index-time extractions) because I am pretty sure that the file_path field is not an index-time field.

0 Karma

Path Finder

Does it make a difference if I'm doing this on the search head using the field transformation option under "Fields"? My Splunk searchhead is in the cloud so I don't have access to the files.

0 Karma

Esteemed Legend

No, it should work exactly the same. These settings will do what you need.

0 Karma

Esteemed Legend

Like this:

| makeresults 
| eval file_path=" C:\\\\\\\\Program Files\\\\\\\\theapp\\\\\\\\the app\\\\\\\\Tools\\\\\\\\IR\\\\\\\\somefolder\\\\\\\\somefile.exe"
| rex field=file_path "(?<file_name>[^\\\]+)$"
0 Karma

Path Finder

The thing is my regex works when I test it, but it doesn't work when I create the file transformation. For example, when I type yours in I get:

Encountered the following error while trying to update: Regex: missing terminating ] for character class
0 Karma

Esteemed Legend

Are you putting this into transforms.conf? If so, then you need to remove one of the back-slashes, like this:

REGEX = (?<file_name>[^\\]+)$
0 Karma

Motivator

Hello @mkarimi17,

I just tested this out using the event source=C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log.

I needed 4 backslashes in the regex to get it working:

source="C:\\Program Files\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log"
| rex field=source "(?<file_name>[^\\\\]+)$"
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!