Solved: Extracting and Compare Folder Path From CSV

ramuzzini · ‎09-05-2024

Hello, working on monitoring if someone has moved a file outside a specific folder inside a preset folder structure on a network using data from a CSV source. Inside csv, I am evaluating two specific fields used:

Source_Directory and Destination_Directory

I am trying to compare the two going 3 folders deep in the file path but running into issue when performing my rex command. Preset folder structure is: "\\my.local\d\p\" pulled from the data set used. Within the folder "\p\", there are various folder names. Need to eval if a folder path is different beyond the preset path of "\\my.local\d\p\..." I put in bold what a discrepancy would if there is one.

Example data in CSV:
Source_Directory Destination_Directory
\\my.local\d\p\prg1\folder1\bfolder \\my.local\d\p\prg1\folder1\ffolder
\\my.local\d\p\prg2\folder1 \\my.local\d\p\prg2\folder2
\\my.local\d\p\prg1\folder2 \\my.local\d\p\prg2\folder1\xfolder\mfolder\
\\my.local\d\p\prg3\folder2\afolder \\my.local\d\p\prg3\folder2
\\my.local\d\p\prg2\folder1 \\my.local\d\p\prg1\folder3

Output query I am trying to create
  Status Source_Directory Destination_Directory
Same \\my.local\d\p\prg1\folder1\bfolder \\my.local\d\p\prg1\folder1\ffolder
Same \\my.local\d\p\prg2\folder1 \\my.local\d\p\prg2\folder2
Different   \\my.local\d\p\prg1\folder2 \\my.local\d\p\prg2\folder1\xfolder\mfolder\
Same \\my.local\d\p\prg3\folder2\afolder \\my.local\d\p\prg3\folder2
Different   \\my.local\d\p\prg2\folder1 \\my.local\d\p\prg1\folder3

If folder name is different after the preset"\\my.local\d\p\" path I need that to show in the "Status" output. I have searched extensively on how to use this rex command in this instance with no luck so thought I would post my issue. Here is the search I have been trying to use.

Splunk Search

 host="my.local"  source="file_source.csv"  sourcetype="csv"
| eval src_dir = Source_Directory
| eval des_dir = Destination_Directory
| rex src_path = src_dir "(?<path>.*)\\\\\w*\.\w+$"
| rex des_path= des_dir "(?<path>.*)\\\\\w*\.\w+$"
| eval status = if (src_path = des_path, "Same", "Diffrent")
| table  status, Source_Directory, Destination_Directory

Any assistance would be much appreciated.

ITWhisperer · ‎09-05-2024

host="my.local"  source="file_source.csv"  sourcetype="csv"
| rex field=Source_Directory "\\\\([^\\\\]+\\\\){3}(?<src_folder>[^\\\\]+)"
| rex field=Destination_Directory "\\\\([^\\\\]+\\\\){3}(?<dest_folder>[^\\\\]+)"
| eval status = if(src_folder = dest_folder, "Same", "Different")
| table  status, Source_Directory, Destination_Directory

View solution in original post

ramuzzini · ‎09-05-2024

Thank you. Was going about that all backwards.

ITWhisperer · ‎09-05-2024

host="my.local"  source="file_source.csv"  sourcetype="csv"
| rex field=Source_Directory "\\\\([^\\\\]+\\\\){3}(?<src_folder>[^\\\\]+)"
| rex field=Destination_Directory "\\\\([^\\\\]+\\\\){3}(?<dest_folder>[^\\\\]+)"
| eval status = if(src_folder = dest_folder, "Same", "Different")
| table  status, Source_Directory, Destination_Directory

Extracting and Compare Folder Path From CSV

eval

field extraction

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation