Hi Splunk Community,
I need help to check whether my directory field match the regex
The regex I used is ^\w+:\\root_folder\\((?:(?!excluded_folder).)*?)\\ to check the file path does not belong to the excluded_folder
Example: c:\root_folder\excluded_folder\...\...\...\file is False
d:\root_folder\subfolder\...\...\...\file is True
Could anyone please help? Much appreciated!
| eval excluded=if(match(directory,"^\w+:\\\\root_folder\\\\((?:(?!excluded_folder).)*?)\\\\"), "true", "false")
| eval excluded=if(match(directory,"^\w+:\\\\root_folder\\\\((?:(?!excluded_folder).)*?)\\\\"), "true", "false")
Thanks @ITWhisperer
This solved my issue
Hi @boxmetal,
you couldextract the folder_to_chek field and make the check on this field. something like this:
<yur_search>
| rex field=source "^\w:\\\w+\\(?<folder_to_check>\w+)"
| search folder_to_check="subfolder"
Ciao.
Giuseppe