Splunk Search

## How do I split a string which contains a path so I'm only getting the first two directories?

Explorer

I have several thousand events with a path such as d:\RNREDINFFTP01-AVREDINFWFS01\ebtest1\foo\bar\filename2.txt. The folder name is not static - I'm using a fschange monitor to pull the events so the root directory RNREDINFFTP01-AVREDINFWFS01 and the tertiary directories are not static.

I want to show the size of the files based on the first or second directory, depending on the users need for detail. For instance.

d:\RNREDINFFTP01-AVREDINFWFS01   100 files 100mb


OR

d:\RNREDINFFTP01-AVREDINFWFS01\ebtest1 50 files 50mb
d:\RNREDINFFTP01-AVREDINFWFS01\ebtest2 40 files 40mb
d:\RNREDINFFTP01-AVREDINFWFS01\ebtest3 10 files 10mb


I doubt I'll ever go past the 2nd directory. I've tried using rex and can't seem to get the groups right. If I was using vbscript or powershell I'd simply call split based on \ and then group by the first or the first+second directories. What am I missing?? ...and... what is the best way to tackle this?

Tags (5)
1 Solution
Esteemed Legend

Try this:

... rex field=source "(?<PathPrefix>(?:[^\\\]+\\\){2})"

Esteemed Legend

Try this:

... rex field=source "(?<PathPrefix>(?:[^\\\]+\\\){2})"

Esteemed Legend

OK, it turns out you need an additional escape character like this (fixed in original answer, too):

... rex field=source "(?<PathPrefix>(?:[^\\\]+\\\){2})"

Explorer

That did it! Thank you.

SplunkTrust

That regex doesn't compile.

If you meant to use a non-capturing group it should be (?:, not (?;.

Explorer

Thanks but I'm getting a different error now, Error in 'rex' command: Encountered the following error while compiling the regex '(?(?:[^]+){2})': Regex: missing terminating ] for character class .

I don't see any issues, there's matching Parens and Braces. Any ideas?

Thanks - Eric

Esteemed Legend

Yes, thank you for catching the typo (stupid dumb-phone keyboard). It is fixed now.

State of Splunk Careers