Splunk Search

How do I edit my regular expression to extract the file path from my sample data?

bworrellZP
Communicator

Hello,

Trying to set up a field extraction to get the file path from a log source. Raw data looks like this:

file_path=\\?\C:\Windows\Temp\nsf9A28.tmp\System.dll 

I set up a file extraction that looks like this. file_path: (?P[A-Z]:\\[A-Za-z\\0-9\s]+....)

Testing looks okay, but when we go to the field in a search, it comes up like this.

\\?\C:\Windows\Temp\nsf9A28.tmp\System.dll

How do I adjust to drop the \\?\?

Also, how do I adjust for longer or shorter paths?

0 Karma

somesoni2
Revered Legend

Use this regex

file_path=.*(?P<filepath>[A-Z]:[^\"]+)
0 Karma

bworrellZP
Communicator

That worked perfectly on a search.

To convert it to a field extraction, would this be correct?

file_path:"file_path=.*(?P[A-Z]:(\)[^\"]+)"

0 Karma

somesoni2
Revered Legend

Use the same regex that you've in rex command.

file_path=.*(?P<filepath>[A-Z]:(\\\)[^\"]+)

Also, when you type in searches/regular expression here, select that and click on Code Sample button on the editor tool box (button on top of writing area which says 101,010), to format it so that nothing gets truncated.

0 Karma

bworrellZP
Communicator

Okay, did not think about that button.

Get an error when I try to paste that into the Extraction field.

"Encountered the following error while trying to update: Regex: missing closing parenthesis"

Not seeing any missing though

0 Karma

somesoni2
Revered Legend

The windows path always causes issues due to backward slash. Try any of this

file_path=.*(?P<filepath>[A-Z]:(\\)[^\"]+)

or

file_path=.*(?P<filepath>[A-Z]:[^\"]+)
0 Karma

bworrellZP
Communicator

Nuts, I spoke too soon. alt text

Seems that some entries work while some still have \?\ in them.

One that works.
rec_type=125 rec_type_simple="MALWARE EVENT" event_sec=1481920232 agent_uuid=771335d1-1070-43a5-aba6-d5d2d6eb06e7 cloud="US Cloud" type=1090519054 subtype=34 detector=SHA detection=W32.A78962E3EB-100.SBX.VIOC agent_user=ejones@ZOTECNET file_name=TBNotifier.exe file_path="C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe" sha256=a78962e3ebde2876ba49ba646207c622e7dd4e66b0222108be06b6c49de5ab22 file_size=1928776 file_type=HTML file_ts=1478726223 parent_fname="" parent_sha256="" event_description="" sensor=0 instance_id=0 connection_id=1017 connection_sec=1481920231 direction=0 src_ip=10.0.0.118 dest_ip=:: app_proto=0 agent_user=0 file_policy=00000000-0000-0000-0000-000000000000 disposition=0 retro_disposition=0 uri="" src_port=0 dest_port=0 src_ip_country=0 dest_ip_country=0 web_app=0 client_app=0 file_action=0 ip_proto=0 threat_score=0 num_ioc=0

Example of one that failed.

rec_type=125 rec_type_simple="MALWARE EVENT" event_sec=1481920232 agent_uuid=771335d1-1070-43a5-aba6-d5d2d6eb06e7 cloud="US Cloud" type=1090519054 subtype=Execute detector=SHA detection=W32.A78962E3EB-100.SBX.VIOC agent_user="SYSTEM@NT AUTHORITY" file_name=TBNotifier.exe file_path="\?\C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe" sha256=a78962e3ebde2876ba49ba646207c622e7dd4e66b0222108be06b6c49de5ab22 file_size=1928776 file_type=HTML file_ts=1478726223 parent_fname=apnmcp.exe parent_sha256=b69749726c16e54fc2ec448748dba5136c412ee5a70443b559db89406ba811cb event_description="" sensor=0 instance_id=0 connection_id=1016 connection_sec=1481920231 direction=0 src_ip=10.0.0.118 dest_ip=:: app_proto=0 agent_user=0 file_policy=00000000-0000-0000-0000-000000000000 disposition=0 retro_disposition=0 uri="" src_port=0 dest_port=0 src_ip_country=0 dest_ip_country=0 web_app=0 client_app=0 file_action=0 ip_proto=0 threat_score=0 num_ioc=0

Is it possible for one regex to do both? If not, can I have two extracts with the same name for the sourcetype?

0 Karma

bworrellZP
Communicator

Okay, this works perfect on a search time regex. When I try to make it a field extract, I get "Encountered the following error while trying to update: Regex: missing closing parenthesis" I do not see where one is missing.

I was pasting it into my existing file_path extract like this.

file_path=.+(?P[A-Z]:(\)[A-z0-9._\s-]+)

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...