Splunk Search

Help with rex for part of a file path

rileyken2
Path Finder

Here is my path:

C:\WebLogs\sample.domain.com\W3SVC1\u_ex191121.log

I would like to grab just the "sample.domain.com" part.

Some of my files are on the E drive and the W3CSVC folders vary, but the sample.domain.com part is always the same format, although it may be sample1.domain2.com (changing, but always a valid url).

It's my source field so I am hoping for something like rex field=source "super regex here".

I really appreciate the help!

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

... | rex  field=path "^(?:[^\\]+\\){2}(?<domain>[^\\]+)"

View solution in original post

vnravikumar
Champion

Hi

Try this

| makeresults 
| eval test="C:\WebLogs\sample.domain.com\W3SVC1\u_ex191121.log" 
| eval domain = mvindex(split(test,"\\"),2)
0 Karma

rileyken2
Path Finder

I can not take the time or Regex seems to difficult to master for occasional problems, so I really appreciate the mvindex idea, I will definitely use this, thanks vnravikumar!

0 Karma

louismai
Path Finder

Please use '\\' to escape '\'
| rex field=path "^(?:[^\]+\){2}(?[^\]+)"

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex  field=path "^(?:[^\\]+\\){2}(?<domain>[^\\]+)"

rileyken2
Path Finder

I get an error, it doesn't seem to be missing a ] anywhere..?

Error in 'rex' command: Encountered the following error while compiling the regex '^(?:[^]+){2}(?[^]+)': Regex: missing terminating ] for character class.

0 Karma

rileyken2
Path Finder

I added some more backslashes and it worked like a charm! Thanks Woodcock

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...