Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex to find a directory in a path

rileyken
Explorer
‎07-30-2019 10:36 AM

I have these paths as sources for an index (the paths are linux file system paths)

/usr/local/myfiles1/myfacilityA/Debug/ADT/ADT_2019-07-30.txt
/usr/local/myfiles2/myfacilityB/Debug/ADT/ADT_2019-07-30.txt
/usr/local/myfiles1/myfacilityC/Debug/ADT/ADT_2019-07-30.txt

i would like to be able to extract "myfacility" as a field so I can search for all of the events with that source path.

It would be fantastic to just capture everything between the /usr/local/myfiles? and the /Debug/ADT/ADT....

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jaime_ramirez
Communicator
‎07-30-2019 10:49 AM

For myfacility field:

...
| rex field=source "\/usr\/local\/myfiles\d+\/myfacility(?<myfacility>.*?)\/Debug\/ADT\/"

And for everything between the /usr/local/myfiles? and the /Debug/ADT/ADT:

...
| rex field=source "\/usr\/local\/myfiles(?<myfacilityPath>.*?)\/Debug\/ADT\/"

Hope it helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bwlm
Path Finder
‎12-02-2020 10:19 PM

If you would like to avoid cumbersome regex rules and are just looking for the fourth directory (or 0-4 directory path) you may want to consider the Splunk Multivalue eval functions "mvindex", "split", and "mvjoin" to do the work for you... note that the "nomv" commands are optional in most cases.

 

| makeresults
| eval filepathname="/usr/local/myfiles1/myfacilityA/Debug/ADT/ADT_2019-07-30.txt"
| eval Dir4=mvindex(split(filepathname,"/"),4,4) 
| nomv Dir4
| eval Dir0to4=mvjoin(mvindex( split(filepathname,"/"),0,4), "/") 
| nomv Dir0to4

 

 

0 Karma
Reply
Solved! Jump to solution

rileyken
Explorer
‎07-31-2019 05:11 AM

This was just what I was looking for! Thanks Jamie

0 Karma
Reply
Solved! Jump to solution
Solution

jaime_ramirez
Communicator
‎07-30-2019 10:49 AM

For myfacility field:

...
| rex field=source "\/usr\/local\/myfiles\d+\/myfacility(?<myfacility>.*?)\/Debug\/ADT\/"

And for everything between the /usr/local/myfiles? and the /Debug/ADT/ADT:

...
| rex field=source "\/usr\/local\/myfiles(?<myfacilityPath>.*?)\/Debug\/ADT\/"

Hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...