Splunk Search

How do I use rex to extract filenames from UNC paths?

mrgibbon
Contributor

Hi All,

I've looked at quite a few answers to this issue and none seem to work for me.

Data Sample:

\\BLAH01\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH01\Group\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH01\Groups\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\coreos\coreos.vmx
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.vmx
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.nvram
\\BLAH02\BLAH\x\BLAH\VMware\VMware_Horizon6\ACP!5C!s_BLAH.vmdk
\\BLAH02\BLAH\RAMS\$Research\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH02\BLAH\Fil01\e_ev\Group\BLAH\Backups\Copy of BLAH\index.asp.LCK
\\BLAH02\BLAH\Fil01\d_ev\Users\BLAH\old pc files\BLAH\Local Settings\Application Data\Microsoft\Silverlight\mssl.lck 

I just need a simple rex to pull out the filenames.
It should be easy, but it's taking me forever.
Can anyone help?

Thanks in advance.

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

See if the following helps:

| rex field=yourfieldname "(?<filename>[^\\\]+$)"

Example:

| stats count | fields - count
| eval raw = "
\\BLAH01\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Group\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Groups\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\coreos\coreos.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.nvram;
\\BLAH02\BLAH\x\BLAH\VMware\VMware_Horizon6\ACP!5C!s_BLAH.vmdk;
\\BLAH02\BLAH\RAMS\$Research\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\Fil01\e_ev\Group\BLAH\Backups\Copy of BLAH\index.asp.LCK;
\\BLAH02\BLAH\Fil01\d_ev\Users\BLAH\old pc files\BLAH\Local Settings\Application Data\Microsoft\Silverlight\mssl.lck
"
| makemv delim=";" raw
| mvexpand raw
| rex field=raw "(?<filename>[^\\\]+$)"

Output: see picture

alt text

View solution in original post

javiergn
SplunkTrust
SplunkTrust

See if the following helps:

| rex field=yourfieldname "(?<filename>[^\\\]+$)"

Example:

| stats count | fields - count
| eval raw = "
\\BLAH01\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Group\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Groups\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\coreos\coreos.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.nvram;
\\BLAH02\BLAH\x\BLAH\VMware\VMware_Horizon6\ACP!5C!s_BLAH.vmdk;
\\BLAH02\BLAH\RAMS\$Research\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\Fil01\e_ev\Group\BLAH\Backups\Copy of BLAH\index.asp.LCK;
\\BLAH02\BLAH\Fil01\d_ev\Users\BLAH\old pc files\BLAH\Local Settings\Application Data\Microsoft\Silverlight\mssl.lck
"
| makemv delim=";" raw
| mvexpand raw
| rex field=raw "(?<filename>[^\\\]+$)"

Output: see picture

alt text

View solution in original post

mrgibbon
Contributor

That is 400 different types of awesome!
Thanks so much!
:)

0 Karma

mrgibbon
Contributor

Is there a way of getting the path without the filename on the end? 🙂

0 Karma

javiergn
SplunkTrust
SplunkTrust

Yes, try this:

| rex field=yourfieldname "(?<path>.+)\\\(?<filename>[^\\\]+$)"

Keep in mind Splunk is replacing the double backslash with single backslash on my example, but the principle is the same anyway.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!