Splunk Search

How to match folders only from file path search results by using regular expression?

erictodor
New Member

I have a search which produces c:\folder\folder\folder\folder\file.exe as results. I want to remove file.exe so that I'm left with c:\folder\folder\folder\folder. It's unknown how many subfolders may exist in my search results. Any help with the regex syntax would be great.

Thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi erictodor,
you can use a regex like this

your_search | rex field=your_field "(?<path>.*)\\\w*\.\w+$"

Bye.
Giuseppe

0 Karma

erictodor
New Member

That didn't work. I managed to make this regex work in a simulator but I'm not sure why I can't get the syntax to work in Splunk

\.+\w+\' (works in simulator)

"(?<'path'>)\.+\w+\" (attempt at Splunk regex logic)

0 Karma

gcusello
SplunkTrust
SplunkTrust

try with

your_search | rex field=your_field "(?<path>.*)\\\\\w*\.\w+$" | table path

this is an example that runs on my Splunk

index=_internal 
| head 1 
| eval my_field="c:\folder\folder\folder\folder\file.exe" 
| rex field=my_field "(?<path>.*)\\\\\w*\.\w+$" 
| table path

result is c:\folder\folder\folder\folder
Bye.
Giuseppe

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...