Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Extracting File Type

behymejt2012
Path Finder
‎05-06-2013 06:56 AM

Hi Everyone,

Trying to extract the File Type from Files (ex: pst, xml, etc). I have tried to split it:

eval split =Split(File,".") | eval type=mvindex(split,1)

But a problem occurs when files like: "2012-12-08 15.36.01.jpg" show up due to the extra "." in the file name.

Is there any recommended rex, or method that can be used to pull the file type from the end of the File name instead of trying to split everything up.

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-06-2013 07:09 AM

If you read the docs, they have the following to say about the mvindex command:

For mvindex(mvfield, startindex, [endindex]), endindex is inclusive and optional; both startindex and endindex can be negative, where -1 is the last element.

So, eval type=mvindex(split,-1) should do the trick.

Otherwise, if you want a rex solution, you could do

... | rex field=File "(?<type>[^.]+)$"

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-06-2013 07:09 AM

If you read the docs, they have the following to say about the mvindex command:

For mvindex(mvfield, startindex, [endindex]), endindex is inclusive and optional; both startindex and endindex can be negative, where -1 is the last element.

So, eval type=mvindex(split,-1) should do the trick.

Otherwise, if you want a rex solution, you could do

... | rex field=File "(?<type>[^.]+)$"
Reply
Solved! Jump to solution

Ayn
Legend
‎05-06-2013 01:53 PM

Sorry, like it says - you need to include a group name at the beginning. I updated my answer with correct syntax.

0 Karma
Reply
Solved! Jump to solution

behymejt2012
Path Finder
‎05-06-2013 08:22 AM

Thanks,

When I try and use the rex I get the following error (havent really used rex): "Error in 'rex' command: The regex '([^.]+)$' does not extract anything. It should specify at least one named group. Format: (?...)."

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...