Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract the file name from full path using regex/rex?

jamesvz84
Communicator
‎02-18-2015 03:47 PM

I am trying to extract a file name from the entire path using rex. An example log is:

....request=http://66.228.48.137/malicious_file/2007-5659/21.exe....

I am using the following search:

index="devices-syslog-ng" | rex field=_raw "request=[^/]+(?[^\s]+)"

However, this is returning: //66.228.48.137/malicious_file/2007-5659/21.exe

How can I get it to just return 21.exe?

Tags (3)
0 Karma
Reply

musskopf
Builder
‎02-18-2015 03:53 PM

Hello,

assuming you have a "white space" after the filename, you could try:

index="devices-syslog-ng" | rex field=_raw "request=.+\/(?P<filename>.+)\s"

I've used the named extraction, so it will create a field named "filename".

Another option, if the field "request" is already been extracted you could try:

index="devices-syslog-ng" | rex field=request ".+\/(?P<filename>.+)\s"

Cheers,

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎02-24-2015 10:02 AM

There would not be a space at the end of the extracted field(request), so the second rex would need to be something like:

rex field=request "(?P<filename>[^/]+)$"

This also makes sure that only the last bit beyond the last slash (/) is placed in the filename.

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...