Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: regex: list parent folder only
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm attempting to determine what folders on a Windows server are being audited. I don't have access to the server to view the inputs.conf file and need to discover what folders are being accessed from the audit logs sent to Splunk. The field labeled FilePath shows the entire path to the file. I have not been successful in creating a regex query to extract only the top parent folder. Because the string value of FilePath contains the full path, I am trying to figure out how to display just the first folder of the entire folder path.
index=win_servers Computer="Storage" | table FilePath | rex field=FilePath "^\\ (?<FilePath>[^\\ ]+)"
The search above produces the results below after passing it to dedup.
H:\Folder1\subfolder1\subfolder_A
H:\Folder1\subfolder1\subfolder_B
H:\Folder1\subfolder2\subfolder_A
H:\Folder2\subfolder1\
H:\Folder2\subfolder2\subfolder_A
H:\Folder2\subfolder3\subfolder_B
H:\Folder3\subfolder1\
H:\Folder3\subfolder2\
H:\Folder4\subfolder1\
H:\Folder4\subfolder2\
The results I am looking for is to just show the following:
H:\Folder1\
H:\Folder2\
H:\Folder3\
H:\Folder4\
...
I've looked at the following posts and haven't been able to successfully apply what is mentioned to my situation.
https://community.splunk.com/t5/Splunk-Search/rex-regex-to-extract-first-folder-name-from-the-path/m...
https://community.splunk.com/t5/Splunk-Search/Regex-Source-and-Destination-files-with-path-filename-...
https://community.splunk.com/t5/Splunk-Search/Regex-to-match-string-between-2-strings/m-p/626758#M21...
Any help would be appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @redhonda03_2
You could try this method
| makeresults
| eval data=split("H:\Folder1\subfolder1\subfolder_A", "\\")
| eval data=mvjoin(mvindex(data, 0,1), "\\")
OR, using your query, something like this
index=win_servers Computer="Storage"
| eval FilePath=split(FilePath, "\\")
,FilePath=mvjoin(mvindex(FilePath, 0,1), "\\")
| table FilePath
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to add to this, the reason it's a struggle to get the regex going, is probably the backslashes giving you grief. The backslashes within search regex need to be escaped at the search layer and at the regex layer too. You need to triple escape the backslashes.
This solution will work with both conventional lettered-drives and also UNC paths:
| rex field=FilePath "(?i)(?<parent>(?:[A-Z]\:|\\\\{2}[^\\\\]+)\\\\[^\\\\]+\\\\)"
Using an | eval like in @yeahnah's solution is definitely more readable and probably more practical too, just be mindful for any UNC paths.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tom,
Thank you for taking time to provide an alternate solution! I'll have to spend some time looking at PCRE regex rules to decipher how all this fits together. I've changed some of the content and some changes do not appear to make a difference, others alter the output, and other changes break the regex.
Just when I think I have the basics down, something throws me curve.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are a couple of good websites that you can use to practise, play and learn about regex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @redhonda03_2
You could try this method
| makeresults
| eval data=split("H:\Folder1\subfolder1\subfolder_A", "\\")
| eval data=mvjoin(mvindex(data, 0,1), "\\")
OR, using your query, something like this
index=win_servers Computer="Storage"
| eval FilePath=split(FilePath, "\\")
,FilePath=mvjoin(mvindex(FilePath, 0,1), "\\")
| table FilePath
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
