Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I split a string which contains a path so I'm only getting the first two directories?

DamageSplunk
Explorer
‎06-20-2015 04:10 AM

I have several thousand events with a path such as d:\RNREDINFFTP01-AVREDINFWFS01\ebtest1\foo\bar\filename2.txt. The folder name is not static - I'm using a fschange monitor to pull the events so the root directory RNREDINFFTP01-AVREDINFWFS01 and the tertiary directories are not static.

I want to show the size of the files based on the first or second directory, depending on the users need for detail. For instance.

d:\RNREDINFFTP01-AVREDINFWFS01   100 files 100mb

OR

d:\RNREDINFFTP01-AVREDINFWFS01\ebtest1 50 files 50mb
d:\RNREDINFFTP01-AVREDINFWFS01\ebtest2 40 files 40mb
d:\RNREDINFFTP01-AVREDINFWFS01\ebtest3 10 files 10mb

I doubt I'll ever go past the 2nd directory. I've tried using rex and can't seem to get the groups right. If I was using vbscript or powershell I'd simply call split based on \ and then group by the first or the first+second directories. What am I missing?? ...and... what is the best way to tackle this?

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-20-2015 04:45 AM

Try this:

... rex field=source "(?<PathPrefix>(?:[^\\\]+\\\){2})"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-20-2015 04:45 AM

Try this:

... rex field=source "(?<PathPrefix>(?:[^\\\]+\\\){2})"
0 Karma
Reply
Solved! Jump to solution

fdinkler
Observer
‎03-16-2022 08:11 AM

I'm trying to adapt this for a UNIX path, and I can't tell why it's not working.

I have is 

rex field=uri "(?<PathPrefix>(?:[^/]+/){2})"

 

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-22-2015 12:32 PM

OK, it turns out you need an additional escape character like this (fixed in original answer, too):

... rex field=source "(?<PathPrefix>(?:[^\\\]+\\\){2})"
Reply
Solved! Jump to solution

DamageSplunk
Explorer
‎06-22-2015 12:36 PM

That did it! Thank you.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-21-2015 01:48 AM

That regex doesn't compile.

If you meant to use a non-capturing group it should be (?:, not (?;.

Reply
Solved! Jump to solution

DamageSplunk
Explorer
‎06-22-2015 12:16 PM

Thanks but I'm getting a different error now, Error in 'rex' command: Encountered the following error while compiling the regex '(?(?:[^]+){2})': Regex: missing terminating ] for character class .

I don't see any issues, there's matching Parens and Braces. Any ideas?

Thanks - Eric

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-22-2015 09:13 AM

Yes, thank you for catching the typo (stupid dumb-phone keyboard). It is fixed now.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...