Splunk Search

Check if field match the regex?

boxmetal
Path Finder

Hi Splunk Community,

I need help to check whether my directory field match the regex

The regex I used is ^\w+:\\root_folder\\((?:(?!excluded_folder).)*?)\\    to check the file path does not belong to the excluded_folder

Example: c:\root_folder\excluded_folder\...\...\...\file  is False

d:\root_folder\subfolder\...\...\...\file is True

Could anyone please help? Much appreciated!

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval excluded=if(match(directory,"^\w+:\\\\root_folder\\\\((?:(?!excluded_folder).)*?)\\\\"), "true", "false")

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| eval excluded=if(match(directory,"^\w+:\\\\root_folder\\\\((?:(?!excluded_folder).)*?)\\\\"), "true", "false")

boxmetal
Path Finder

Thanks @ITWhisperer 

This solved my issue

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @boxmetal,

you couldextract the folder_to_chek field and make the check on this field. something like this:

<yur_search>
| rex field=source "^\w:\\\w+\\(?<folder_to_check>\w+)"
| search folder_to_check="subfolder"

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...