Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Regex Question

NeonFlash
Explorer
‎07-25-2012 10:50 PM

I want to list all the file names in a log file in Splunk whose name ends with, "_bn.txt"

Let's say the field name is path

so my regex looks like

regex path=".*_bn.txt$"

However, this does not list down the results.

But if I use the following regex:

regex path=".*.txt$"

I am able to see all the filenames which end in .txt.

Need to find all the file names ending in, _bn.txt

Thanks.

PS: I don't think underscore is a metacharacter which needs to be escaped.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-25-2012 11:54 PM

Underscore is not a metacharacter, but the period is.

regex path=".*_bn\.txt$"

would be more accurate. But if there were files that ended in _bn.txt, the first regular expression still should have matched them...

So are you sure that there are any file names ending in _bn.txt in the time range that you are searching?

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-25-2012 11:54 PM

Underscore is not a metacharacter, but the period is.

regex path=".*_bn\.txt$"

would be more accurate. But if there were files that ended in _bn.txt, the first regular expression still should have matched them...

So are you sure that there are any file names ending in _bn.txt in the time range that you are searching?

Reply
Solved! Jump to solution

NeonFlash
Explorer
‎07-26-2012 01:03 AM

Hi, yes, the regex worked. For some reason when I ran the splunk query for the first time, it did not work. Yes, I escaped the metacharacter with a backslash. @Ayn: In my case the field name is different 🙂

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-26-2012 12:03 AM

Also, where are you getting the field name path from? If you're talking about Splunk's field for showing the path of input files, that field's name is source.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...