I have a path (and a variable file_path) that looks like this:
C:\\\\Program Files\\\\theapp\\\\the app\\\\Tools\\\\IR\\\\somefolder\\\\somefile.exe
And I'm trying to retrieve the file name
I created a Field transformation with the following info, but I'm not getting the field file_name to populate
Ah, right, when putting it into files, you need to adjust the backslashes; use this instead:
[file_name_FROM_file_path] REGEX = ([^\\]+)$ SOURCE_KEY = file_path FORMAT = file_name::$1
Capitalization is CRITICAL. Also, note that you probably need
REPORT- (for search-time extractions) instead of
TRANSFORMS- (for index-time extractions) because I am pretty sure that the
file_path field is not an index-time field.
Does it make a difference if I'm doing this on the search head using the field transformation option under "Fields"? My Splunk searchhead is in the cloud so I don't have access to the files.
| makeresults | eval file_path=" C:\\\\\\\\Program Files\\\\\\\\theapp\\\\\\\\the app\\\\\\\\Tools\\\\\\\\IR\\\\\\\\somefolder\\\\\\\\somefile.exe" | rex field=file_path "(?<file_name>[^\\\]+)$"
The thing is my regex works when I test it, but it doesn't work when I create the file transformation. For example, when I type yours in I get:
Encountered the following error while trying to update: Regex: missing terminating ] for character class
I just tested this out using the event source=C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log.
I needed 4 backslashes in the regex to get it working:
source="C:\\Program Files\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log" | rex field=source "(?<file_name>[^\\\\]+)$"