Solved: How to remove Windows subfolders from search resul...

erictodor · ‎05-11-2017

I have a search which produces c:\folder\folder\folder\folder\file.exe as results. I want to remove all of the c:\folders so I'm only left with file.exe. Its unknown how many subfolders may exist in my search. I'm still new to regex searching so I managed to get the query I want in a simulator but I can't get splunk to produce the results.

Expression [^\\\]*$

| rex field=Filepath "(?<'Path'>[^\\\]*$)"

Any help would be appreciated

somesoni2 · ‎05-11-2017

Give this a try (run anywhere sample, replace line 1 with your search)

| gentimes start=-1 | eval FilePath="c:\folder\folder\folder\folder\file.exe" | table FilePath 
| rex field=FilePath "\\\(?<path>\w+\.\w+)$"

View solution in original post

somesoni2 · ‎05-11-2017

Give this a try (run anywhere sample, replace line 1 with your search)

| gentimes start=-1 | eval FilePath="c:\folder\folder\folder\folder\file.exe" | table FilePath 
| rex field=FilePath "\\\(?<path>\w+\.\w+)$"

How to remove Windows subfolders from search results by using regular expression?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases