Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help using REGEX to get the File Path from a field at search time

mkersh
Engager
‎03-29-2012 04:20 PM

I'm attempting to categorize my splunk usage by source - using the logfile path as a rough way to group by application. So in my search, I'm retrieving the source - and then attempting to use REGEX to just show the filepath portion of the value.

Example...

This is my search query...

index=_internal source=license_usage type=Usage | eval MB=round((b/1024)/1024,2) | stats sum(MB) AS usage(mb) by h,s | sort 0 -usage(mb) | rename s as sourceDir | rename h as host

This is a sample of the values being returned for s

/cgu/prd/data/applogs/technical/uapesb02N1.PrdCguIccWesbAppM2.ServiceActivityEvent.log
/pi/prd/data/scv/CRODS_R3/logs/crods_r3.log

/cgu/prd/http/PrdCgu2Http/logs/access_log.2012-03-30

I've tried to use REX to remove the filename and just show the filepath portion using this...

| rex field=s mode=sed "s/(^.*)\(?!\)//g" |

but so far nothing seems to be working. Please help 🙂

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎03-29-2012 04:33 PM

Does this do the trick ?

... | rex field=s "(?<filepath>(/\w+)+)/" | table filepath

View solution in original post

Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎03-29-2012 04:33 PM

Does this do the trick ?

... | rex field=s "(?<filepath>(/\w+)+)/" | table filepath
Reply
Solved! Jump to solution

mkersh
Engager
‎03-29-2012 05:04 PM

That worked perfectly. Thanks!

0 Karma
Reply
Solved! Jump to solution

Damien_Dallimor
Ultra Champion
‎03-29-2012 05:01 PM

updated the original answer and verified that it works in Splunk.

0 Karma
Reply
Solved! Jump to solution

mkersh
Engager
‎03-29-2012 04:53 PM

Thanks - that's closer... It is returning just the last path... so /pi/prd/data/scv/CRODS_R3/logs/crods_r3.log becomes /logs

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...