Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with rex for part of a file path

rileyken2
Path Finder
‎11-21-2019 03:06 PM

Here is my path:

C:\WebLogs\sample.domain.com\W3SVC1\u_ex191121.log

I would like to grab just the "sample.domain.com" part.

Some of my files are on the E drive and the W3CSVC folders vary, but the sample.domain.com part is always the same format, although it may be sample1.domain2.com (changing, but always a valid url).

It's my source field so I am hoping for something like rex field=source "super regex here".

I really appreciate the help!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-21-2019 03:23 PM

Like this:

... | rex  field=path "^(?:[^\\]+\\){2}(?<domain>[^\\]+)"

View solution in original post

Reply
Solved! Jump to solution

vnravikumar
Champion
‎11-21-2019 07:20 PM

Hi

Try this

| makeresults 
| eval test="C:\WebLogs\sample.domain.com\W3SVC1\u_ex191121.log" 
| eval domain = mvindex(split(test,"\\"),2)
0 Karma
Reply
Solved! Jump to solution

rileyken2
Path Finder
‎11-22-2019 05:26 AM

I can not take the time or Regex seems to difficult to master for occasional problems, so I really appreciate the mvindex idea, I will definitely use this, thanks vnravikumar!

0 Karma
Reply
Solved! Jump to solution

louismai
Path Finder
‎11-21-2019 04:53 PM

Please use '\\' to escape '\'
| rex field=path "^(?:[^\]+\){2}(?[^\]+)"

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-21-2019 03:23 PM

Like this:

... | rex  field=path "^(?:[^\\]+\\){2}(?<domain>[^\\]+)"
Reply
Solved! Jump to solution

rileyken2
Path Finder
‎11-21-2019 04:26 PM

I get an error, it doesn't seem to be missing a ] anywhere..?

Error in 'rex' command: Encountered the following error while compiling the regex '^(?:[^]+){2}(?[^]+)': Regex: missing terminating ] for character class.

0 Karma
Reply
Solved! Jump to solution

rileyken2
Path Finder
‎11-21-2019 04:58 PM

I added some more backslashes and it worked like a charm! Thanks Woodcock

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...