Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract fields from an already extracted field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract fields from an already extracted field
Hi all,
I'm trying to extract the filename and file ext of a windows path into to different fields. The sourcetype is CSV and the path is already extracted into a field called Threat Target File Path.
The event looks like:
10/30/15 8:01:40 AM,Z4437-E6A5-58E3,10.221.7.210,C:\Users\u106420\Videos\WP_20140610_002.mp4,NT AUTHORITY\SYSTEM,C:\Windows\system32\svchost.exe
The field Threat Target File Path contains:
C:\Users\u106420\Videos\WP_20140610_002.mp4
And I would like:
Threat Target File Name = WP_20140610_002
Threat Target File Ext = mp4
I would like 'automate' this so I'm guessing that i need to add entries into the transforms.conf and props.conf,
Is this possible and what entries would I need to get the two additional field extractions?
Many thanks for any help,
Mark.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
Inside props.conf:
REPORT-this_part_does_not_matter_but_must_come_below_whatever_created_Threat_Target_File_Path = filename_into_two_parts
Inside transforms.conf:
[filename_into_two_parts]
SOURCE_KEY="Threat Target File Path"
REGEX=[^\.]+?(?<ThreatTargetFileName>[^\\\.]+)(?:\.(?<ThreatTargetFileExt>[^\\\.]*))?$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aaaargggg - all the "backslashes" have been removed 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @markwymer
Make sure to use the text editor tools in the "ask a question" UI to render special characters properly. @woodcock (thanks!) already edited your post for you, but in the future, whenever you're sharing sample code, data, search strings, conf file stanzas (especially anything with regex), etc., highlight it and click the Code Sample button. This will wrap it in a code box so it appears as it should. If you're sharing a snippet of code or regex within a sentence, you can enclose it between two back-ticks () so it appears like this!@#$%^&*%^$\*|\`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry just noticed a typo. The '\' have been removed from the Path name. It should be
10/30/15 8:01:40 AM,Z4437-E6A5-58E3,10.221.7.210,C:\Users\u112200\Videos\WP_20140610_002.mp4,NT AUTHORITY\SYSTEM,C:\Windows\system32\svchost.exe
and the "Threat Target File Path" is
C:\Users\u112200\Videos\WP_20140610_002.mp4
Hopefully, this will now look better
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope - all the '\'s get removed!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
