Solved: How to write regex to list parent folder only?

redhonda03_2 · ‎03-28-2023

I'm attempting to determine what folders on a Windows server are being audited. I don't have access to the server to view the inputs.conf file and need to discover what folders are being accessed from the audit logs sent to Splunk. The field labeled FilePath shows the entire path to the file. I have not been successful in creating a regex query to extract only the top parent folder. Because the string value of FilePath contains the full path, I am trying to figure out how to display just the first folder of the entire folder path.

index=win_servers Computer="Storage" | table FilePath | rex field=FilePath "^\\ (?<FilePath>[^\\ ]+)"

The search above produces the results below after passing it to dedup.

H:\Folder1\subfolder1\subfolder_A
H:\Folder1\subfolder1\subfolder_B
H:\Folder1\subfolder2\subfolder_A
H:\Folder2\subfolder1\
H:\Folder2\subfolder2\subfolder_A
H:\Folder2\subfolder3\subfolder_B
H:\Folder3\subfolder1\
H:\Folder3\subfolder2\
H:\Folder4\subfolder1\
H:\Folder4\subfolder2\

The results I am looking for is to just show the following:
H:\Folder1\
H:\Folder2\
H:\Folder3\
H:\Folder4\
...

I've looked at the following posts and haven't been able to successfully apply what is mentioned to my situation.
https://community.splunk.com/t5/Splunk-Search/rex-regex-to-extract-first-folder-name-from-the-path/m...
https://community.splunk.com/t5/Splunk-Search/Regex-Source-and-Destination-files-with-path-filename-...
https://community.splunk.com/t5/Splunk-Search/Regex-to-match-string-between-2-strings/m-p/626758#M21...

Any help would be appreciated!

yeahnah · ‎03-28-2023

Hi @redhonda03_2

You could try this method

| makeresults
| eval data=split("H:\Folder1\subfolder1\subfolder_A", "\\")
| eval data=mvjoin(mvindex(data, 0,1), "\\")

OR, using your query, something like this

index=win_servers Computer="Storage"
| eval FilePath=split(FilePath, "\\")
      ,FilePath=mvjoin(mvindex(FilePath, 0,1), "\\")
| table FilePath

Hope this helps

View solution in original post

Tom_Lundie · ‎03-28-2023

Hi @redhonda03_2

Just to add to this, the reason it's a struggle to get the regex going, is probably the backslashes giving you grief. The backslashes within search regex need to be escaped at the search layer and at the regex layer too. You need to triple escape the backslashes.

This solution will work with both conventional lettered-drives and also UNC paths:

| rex field=FilePath "(?i)(?<parent>(?:[A-Z]\:|\\\\{2}[^\\\\]+)\\\\[^\\\\]+\\\\)"

Using an | eval like in @yeahnah's solution is definitely more readable and probably more practical too, just be mindful for any UNC paths.

redhonda03_2 · ‎03-29-2023

Tom,

Thank you for taking time to provide an alternate solution! I'll have to spend some time looking at PCRE regex rules to decipher how all this fits together. I've changed some of the content and some changes do not appear to make a difference, others alter the output, and other changes break the regex.

Just when I think I have the basics down, something throws me curve.

yeahnah · ‎03-29-2023

Here are a couple of good websites that you can use to practise, play and learn about regex

https://regex101.com/

https://regexr.com/

yeahnah · ‎03-28-2023

Hi @redhonda03_2

You could try this method

| makeresults
| eval data=split("H:\Folder1\subfolder1\subfolder_A", "\\")
| eval data=mvjoin(mvindex(data, 0,1), "\\")

OR, using your query, something like this

index=win_servers Computer="Storage"
| eval FilePath=split(FilePath, "\\")
      ,FilePath=mvjoin(mvindex(FilePath, 0,1), "\\")
| table FilePath

Hope this helps

redhonda03_2 · ‎03-28-2023

Hi yeahnah,

The eval option you suggested worked perfectly, thank you! I'll make a note to leverage the eval command in situations like this.

How to write regex to list parent folder only?

regex

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)