Rex for drive letters

nashia · ‎05-22-2019

I only want to look at built in shares like A$-Z$, but not ADMIN$ or IPC$. Is there a rex expression that will allow me to do this?

rex field=share_name "(?[a-zA-Z]{1}+)\$+" works similarly, where I get A$, C$, D$, G$, etc; but it will also give me C$ from the end of IPC$ and N$ from the end of ADMIN$.

I guess what I need is to first only rex if there are two characters (letter + $)... Any help is appreciated.

FrankVl · ‎05-22-2019

What is in the share_name field? Just the short name, or a full url like \servername\c$?

harsmarvania57 · ‎05-22-2019

Hi,

Please try below regex

| rex field=share_name "^(?<drive>[a-zA-Z]\$)"

nashia · ‎05-22-2019

Hi, Thank you for your answer; unfortunately it does not work.

FrankVl · ‎05-22-2019

Can you be a bit more specific than "it does not work"?

FrankVl · ‎05-22-2019

Second z should be Z I guess? 😉

But yes, that should do the trick. If the share_name contains a full UNC path, try "\\(?<drive>[a-zA-Z]\$)"

harsmarvania57 · ‎05-22-2019

Thanks for pointing this. 🙂

Rex for drive letters

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Rex for drive letters

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25