I have several thousand events with a path such as d:\RNREDINFFTP01-AVREDINFWFS01\ebtest1\foo\bar\filename2.txt
. The folder name is not static - I'm using a fschange monitor to pull the events so the root directory RNREDINFFTP01-AVREDINFWFS01
and the tertiary directories are not static.
I want to show the size of the files based on the first or second directory, depending on the users need for detail. For instance.
d:\RNREDINFFTP01-AVREDINFWFS01 100 files 100mb
OR
d:\RNREDINFFTP01-AVREDINFWFS01\ebtest1 50 files 50mb
d:\RNREDINFFTP01-AVREDINFWFS01\ebtest2 40 files 40mb
d:\RNREDINFFTP01-AVREDINFWFS01\ebtest3 10 files 10mb
I doubt I'll ever go past the 2nd directory. I've tried using rex and can't seem to get the groups right. If I was using vbscript or powershell I'd simply call split based on \
and then group by the first or the first+second directories. What am I missing?? ...and... what is the best way to tackle this?
Try this:
... rex field=source "(?<PathPrefix>(?:[^\\\]+\\\){2})"
I'm trying to adapt this for a UNIX path, and I can't tell why it's not working.
I have is
rex field=uri "(?<PathPrefix>(?:[^/]+/){2})"
OK, it turns out you need an additional escape character like this (fixed in original answer, too):
... rex field=source "(?<PathPrefix>(?:[^\\\]+\\\){2})"
That did it! Thank you.
That regex doesn't compile.
If you meant to use a non-capturing group it should be (?:
, not (?;
.
Thanks but I'm getting a different error now, Error in 'rex' command: Encountered the following error while compiling the regex '(?(?:[^]+){2})': Regex: missing terminating ] for character class .
I don't see any issues, there's matching Parens and Braces. Any ideas?
Thanks - Eric
Yes, thank you for catching the typo (stupid dumb-phone keyboard). It is fixed now.