Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extracting and Compare Folder Path From CSV
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, working on monitoring if someone has moved a file outside a specific folder inside a preset folder structure on a network using data from a CSV source. Inside csv, I am evaluating two specific fields used:
Source_Directory and Destination_Directory
I am trying to compare the two going 3 folders deep in the file path but running into issue when performing my rex command. Preset folder structure is: "\\my.local\d\p\" pulled from the data set used. Within the folder "\p\", there are various folder names. Need to eval if a folder path is different beyond the preset path of "\\my.local\d\p\..." I put in bold what a discrepancy would if there is one.
Example data in CSV:
Source_Directory Destination_Directory
\\my.local\d\p\prg1\folder1\bfolder \\my.local\d\p\prg1\folder1\ffolder
\\my.local\d\p\prg2\folder1 \\my.local\d\p\prg2\folder2
\\my.local\d\p\prg1\folder2 \\my.local\d\p\prg2\folder1\xfolder\mfolder\
\\my.local\d\p\prg3\folder2\afolder \\my.local\d\p\prg3\folder2
\\my.local\d\p\prg2\folder1 \\my.local\d\p\prg1\folder3
Output query I am trying to create
Status Source_Directory Destination_Directory
Same \\my.local\d\p\prg1\folder1\bfolder \\my.local\d\p\prg1\folder1\ffolder
Same \\my.local\d\p\prg2\folder1 \\my.local\d\p\prg2\folder2
Different \\my.local\d\p\prg1\folder2 \\my.local\d\p\prg2\folder1\xfolder\mfolder\
Same \\my.local\d\p\prg3\folder2\afolder \\my.local\d\p\prg3\folder2
Different \\my.local\d\p\prg2\folder1 \\my.local\d\p\prg1\folder3
If folder name is different after the preset"\\my.local\d\p\" path I need that to show in the "Status" output. I have searched extensively on how to use this rex command in this instance with no luck so thought I would post my issue. Here is the search I have been trying to use.
Splunk Search
host="my.local" source="file_source.csv" sourcetype="csv"
| eval src_dir = Source_Directory
| eval des_dir = Destination_Directory
| rex src_path = src_dir "(?<path>.*)\\\\\w*\.\w+$"
| rex des_path= des_dir "(?<path>.*)\\\\\w*\.\w+$"
| eval status = if (src_path = des_path, "Same", "Diffrent")
| table status, Source_Directory, Destination_Directory
Any assistance would be much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
host="my.local" source="file_source.csv" sourcetype="csv"
| rex field=Source_Directory "\\\\([^\\\\]+\\\\){3}(?<src_folder>[^\\\\]+)"
| rex field=Destination_Directory "\\\\([^\\\\]+\\\\){3}(?<dest_folder>[^\\\\]+)"
| eval status = if(src_folder = dest_folder, "Same", "Different")
| table status, Source_Directory, Destination_Directory- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. Was going about that all backwards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
host="my.local" source="file_source.csv" sourcetype="csv"
| rex field=Source_Directory "\\\\([^\\\\]+\\\\){3}(?<src_folder>[^\\\\]+)"
| rex field=Destination_Directory "\\\\([^\\\\]+\\\\){3}(?<dest_folder>[^\\\\]+)"
| eval status = if(src_folder = dest_folder, "Same", "Different")
| table status, Source_Directory, Destination_Directory
Observe and Secure All Apps with Splunk
What's New in Splunk Observability - August 2025
Introduction to Splunk AI
