Solved: How to remove Windows subfolders from search resul...

erictodor · ‎05-11-2017

I have a search which produces c:\folder\folder\folder\folder\file.exe as results. I want to remove all of the c:\folders so I'm only left with file.exe. Its unknown how many subfolders may exist in my search. I'm still new to regex searching so I managed to get the query I want in a simulator but I can't get splunk to produce the results.

Expression [^\\\]*$

| rex field=Filepath "(?<'Path'>[^\\\]*$)"

Any help would be appreciated

somesoni2 · ‎05-11-2017

Give this a try (run anywhere sample, replace line 1 with your search)

| gentimes start=-1 | eval FilePath="c:\folder\folder\folder\folder\file.exe" | table FilePath 
| rex field=FilePath "\\\(?<path>\w+\.\w+)$"

View solution in original post

somesoni2 · ‎05-11-2017

Give this a try (run anywhere sample, replace line 1 with your search)

| gentimes start=-1 | eval FilePath="c:\folder\folder\folder\folder\file.exe" | table FilePath 
| rex field=FilePath "\\\(?<path>\w+\.\w+)$"

How to remove Windows subfolders from search results by using regular expression?

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?

How to remove Windows subfolders from search results by using regular expression?

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...