Solved: Check if field match the regex?

boxmetal · ‎11-01-2022

Hi Splunk Community,

I need help to check whether my directory field match the regex

The regex I used is ^\w+:\\root_folder\\((?:(?!excluded_folder).)*?)\\ to check the file path does not belong to the excluded_folder

Example: c:\root_folder\excluded_folder\...\...\...\file is False

d:\root_folder\subfolder\...\...\...\file is True

Could anyone please help? Much appreciated!

ITWhisperer · ‎11-01-2022

| eval excluded=if(match(directory,"^\w+:\\\\root_folder\\\\((?:(?!excluded_folder).)*?)\\\\"), "true", "false")

ITWhisperer · ‎11-01-2022

| eval excluded=if(match(directory,"^\w+:\\\\root_folder\\\\((?:(?!excluded_folder).)*?)\\\\"), "true", "false")

boxmetal · ‎11-01-2022

This solved my issue

gcusello · ‎11-01-2022

you couldextract the folder_to_chek field and make the check on this field. something like this:

<yur_search>
| rex field=source "^\w:\\\w+\\(?<folder_to_check>\w+)"
| search folder_to_check="subfolder"

Ciao.

Giuseppe

Check if field match the regex?