Re: How to match folders only from file path searc...

erictodor · ‎05-15-2017

I have a search which produces c:\folder\folder\folder\folder\file.exe as results. I want to remove file.exe so that I'm left with c:\folder\folder\folder\folder. It's unknown how many subfolders may exist in my search results. Any help with the regex syntax would be great.

Thank you

gcusello · ‎05-15-2017

Hi erictodor,
you can use a regex like this

your_search | rex field=your_field "(?<path>.*)\\\w*\.\w+$"

Bye.
Giuseppe

erictodor · ‎05-15-2017

That didn't work. I managed to make this regex work in a simulator but I'm not sure why I can't get the syntax to work in Splunk

\.+\w+\' (works in simulator)

"(?<'path'>)\.+\w+\" (attempt at Splunk regex logic)

gcusello · ‎05-16-2017

try with

your_search | rex field=your_field "(?<path>.*)\\\\\w*\.\w+$" | table path

this is an example that runs on my Splunk

index=_internal 
| head 1 
| eval my_field="c:\folder\folder\folder\folder\file.exe" 
| rex field=my_field "(?<path>.*)\\\\\w*\.\w+$" 
| table path

result is c:\folder\folder\folder\folder
Bye.
Giuseppe

How to match folders only from file path search results by using regular expression?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

How to match folders only from file path search results by using regular expression?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud