Solved: Help with rex for part of a file path

rileyken2 · ‎11-21-2019

Here is my path:

C:\WebLogs\sample.domain.com\W3SVC1\u_ex191121.log

I would like to grab just the "sample.domain.com" part.

Some of my files are on the E drive and the W3CSVC folders vary, but the sample.domain.com part is always the same format, although it may be sample1.domain2.com (changing, but always a valid url).

It's my source field so I am hoping for something like rex field=source "super regex here".

I really appreciate the help!

woodcock · ‎11-21-2019

Like this:

... | rex  field=path "^(?:[^\\]+\\){2}(?<domain>[^\\]+)"

View solution in original post

vnravikumar · ‎11-21-2019

Hi

Try this

| makeresults 
| eval test="C:\WebLogs\sample.domain.com\W3SVC1\u_ex191121.log" 
| eval domain = mvindex(split(test,"\\"),2)

rileyken2 · ‎11-22-2019

I can not take the time or Regex seems to difficult to master for occasional problems, so I really appreciate the mvindex idea, I will definitely use this, thanks vnravikumar!

louismai · ‎11-21-2019

Please use '\\' to escape '\'
| rex field=path "^(?:[^\]+\){2}(?[^\]+)"

woodcock · ‎11-21-2019

Like this:

... | rex  field=path "^(?:[^\\]+\\){2}(?<domain>[^\\]+)"

rileyken2 · ‎11-21-2019

I get an error, it doesn't seem to be missing a ] anywhere..?

Error in 'rex' command: Encountered the following error while compiling the regex '^(?:[^]+){2}(?[^]+)': Regex: missing terminating ] for character class.

rileyken2 · ‎11-21-2019

I added some more backslashes and it worked like a charm! Thanks Woodcock

Help with rex for part of a file path

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

Help with rex for part of a file path

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard