So I have a couple of lines that I am trying to get info out of using regex and it's not going quite the way I was hoping. Say in my events I have the lines below
1.) \Device\HarddiskVolume23\Test1
2.) \Device\HarddiskVolume23\Test1\Test
3.) \Device\HarddiskVolume23\Test1\Test\Test1
What I am looking to get is the results that would just be the root directories ( \Device\HarddiskVolume23\Test1
). So I'm trying to set up a regex that does just that, but I'm not having the best of luck.
If I do the following, I will get the results 1 and 3 above.
regex Object_Name="Test1$"
I was trying to set up the search so it would go:
regex Object_Name="HarddiskVolume\d\\d\\Test1$"
That doesn't return any results. Even if I used:
regex Object_Name="HarddiskVolume23\\Test1$"
I do not get any results.
I have multiple different paths to get this to search for, so that is why I would like to use as many regex variables as I can.
So what can I do to get this to work properly?
This works fine for me. (comes with run anywhere example with your sample data)
| gentimes start=-1 | eval temp="\Device\HarddiskVolume23\Test1 \Device\HarddiskVolume23\Test1\Test \Device\HarddiskVolume23\Test1\Test\Test1" | makemv temp| table temp | mvexpand temp | regex temp="HarddiskVolume\d+\\\Test1$"
You're almost there, just missing additional backslash
This regex statement will match all three lines assuming each lines begins with a backslash.
^(\\[^\\]+){3}
In SPL it would look like:
...| rex field=_raw "^(?<myfield>(\\[^\\]+){3})"
or
...| rex field=_raw "^(?<myfield>(\\[^\\]+){3})" max_match=0 |
This works fine for me. (comes with run anywhere example with your sample data)
| gentimes start=-1 | eval temp="\Device\HarddiskVolume23\Test1 \Device\HarddiskVolume23\Test1\Test \Device\HarddiskVolume23\Test1\Test\Test1" | makemv temp| table temp | mvexpand temp | regex temp="HarddiskVolume\d+\\\Test1$"
You're almost there, just missing additional backslash
This works with your sample data. Because SPL and the regex engine both use backslash as an escape character, you have to use 4 backslashes to match a backslash.
regex Object_Name="\\\\\w+?\\\\\w+?\\\\\w+"
The problem is the event isnt always \device\volume\name
. There are other events logged that have other paths that I am not concerned about.
When I try the regex Object_Name="\\\\\w+?\\\\\w+?\\\\\w+"
it returns all results
Hi dmittel,
if the the events always have the same pattern like \device\volume\name
you can use this little regex:
\\\w+\\\w+\\\w+
which will get \Device\HarddiskVolume23\Test1
from all provided examples.
Hope this helps ...
cheers, MuS