Solved: Re: Splunk Regex Question

NeonFlash · ‎07-25-2012

I want to list all the file names in a log file in Splunk whose name ends with, "_bn.txt"

Let's say the field name is path

so my regex looks like

regex path=".*_bn.txt$"

However, this does not list down the results.

But if I use the following regex:

regex path=".*.txt$"

I am able to see all the filenames which end in .txt.

Need to find all the file names ending in, _bn.txt

Thanks.

PS: I don't think underscore is a metacharacter which needs to be escaped.

lguinn2 · ‎07-25-2012

Underscore is not a metacharacter, but the period is.

regex path=".*_bn\.txt$"

would be more accurate. But if there were files that ended in _bn.txt, the first regular expression still should have matched them...

So are you sure that there are any file names ending in _bn.txt in the time range that you are searching?

View solution in original post

lguinn2 · ‎07-25-2012

Underscore is not a metacharacter, but the period is.

regex path=".*_bn\.txt$"

would be more accurate. But if there were files that ended in _bn.txt, the first regular expression still should have matched them...

So are you sure that there are any file names ending in _bn.txt in the time range that you are searching?

NeonFlash · ‎07-26-2012

Hi, yes, the regex worked. For some reason when I ran the splunk query for the first time, it did not work. Yes, I escaped the metacharacter with a backslash. @Ayn: In my case the field name is different 🙂

Ayn · ‎07-26-2012

Also, where are you getting the field name path from? If you're talking about Splunk's field for showing the path of input files, that field's name is source.

Splunk Regex Question

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!