Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract a file name from the splunk logs

kumarnis45
Path Finder
‎10-04-2021 12:59 PM

Hi team,

     I am new to the splunk. I am just running a splunk query with an ID name to get the file assocaited with it from the logs. Event logs are looks below from the splunk,

Logs:

  the log files are

   RequestId: abcd File uploaded to: s3://test/sample/file.json

  source: source name

  host: host name

  etc

 

how can i run a query to search splunk event logs and look for .JSON file and return the full JSON file name?

Any help is appreciated.

 

Thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-05-2021 05:14 AM

The rex command uses regular expressions (regex) rather than patterns.  Whereas in a pattern "*" means "any number of any thing", in regex it means "repeat the last character any number of times".  It's a subtle, but meaningful difference.

This should help.  Note the escaped slashes.

| rex "uploaded to: s3:\/\/.*?-sample-.*?-us-east-1-s3\/path\/(?<filename>.*)"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

kumarnis45
Path Finder
‎10-05-2021 06:44 AM

Thanks Rich. That worked

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-04-2021 02:04 PM

Here's a basic query that should get you started. 

index=foo "uploaded to"
| rex "uploaded to: (?<filepath>.*)"
| table filepath
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

kumarnis45
Path Finder
‎10-04-2021 02:27 PM

hi @richgalloway ,

 

  Thanks for replying to my post. Yes, this query really helps me and get the file name i need. One question is that, values in URL names are dynamic and changes with environment (dev, qa,  uat etc) and client name (client1, client2 etc). How can i over come that?

The command that working for me for static values in URL:

rex "uploaded to: s3://<client>-sample-<env>-us-east-1-s3/path/(?<filename>.*)" | table filename

 

In above command, client(client1, client2 and client3) and env(dev, qa and uat) values changes. How can i over come that?

 If i pass '*' for the env and client names query not returning anything.

 

Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-05-2021 05:14 AM

The rex command uses regular expressions (regex) rather than patterns.  Whereas in a pattern "*" means "any number of any thing", in regex it means "repeat the last character any number of times".  It's a subtle, but meaningful difference.

This should help.  Note the escaped slashes.

| rex "uploaded to: s3:\/\/.*?-sample-.*?-us-east-1-s3\/path\/(?<filename>.*)"

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...