How to extract a field from a long path name?

splunker9999 · ‎01-19-2017

HI

We need to create a new field for file name and this is to be extracted from path we have.

We need to extract last segment from below path which is jst_cat_20170119164505.xfrfrom below path .
Format of path is as below

/home/ist/user/dealer/jst_cat_20170119164505.xfr
/home/dlr/user/ist_cat_20116091456.xfr.pdt
/home/dlr/user/ist_cat/dealer/files.20160910.txt
/home/dlr/user/ist_cat/dealer/files.20160910.txt.pdt

Thanks

gokadroid · ‎01-19-2017

If all of these urls are in individual events then this extraction shall give you desired result:

your command to return events
| rex "\/(([^\s\/]+\/)*)(?<fileName>[\S]+)"
| table fileName

If all of these are in single event then use the max_match=0 something like this

your command to return events
| rex max_match=0 "\/(([^\s\/]+\/)*)(?<fileName>[\S]+)"
| mvexpand fileName
| table fileName

How to extract a field from a long path name?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!