Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk rex help: regex for windows and unix path

hbustam8063
New Member
‎10-30-2019 07:10 PM

Hi, I am a newbie to SPL. I am trying to write a regex that will extract the unix/windows path from the full_log field. I am having no luck with that. Can you please help? The following regex is for Windows. Thank you for your help.
HB

index="newindx" agent.name="*-svrname-*" "*checksum*" | rex field=full_log "^File\s+(?<checksum_changed>^\'[a-zA-Z]:\\[\\\S|*\S]?.*'$)\s+checksum\s+changed.+"

full_log: File '/apps/data/db.data' checksum changed.
full_log: File 'c:\windows\system32\xpsservices.dll' checksum changed.
0 Karma
Reply

woodcock
Esteemed Legend
‎11-22-2019 09:08 AM

Like this:

... | rex field=full_log "'(?<NewFieldNameHere>[^']+)'"
Reply

jpolvino
Builder
‎11-22-2019 08:59 AM

Keep it simple!

rex field=full_log "^full_log:\sFile\s'(?<filename>[^']+)'\schecksum changed\."

Rather than trying to guess all legal characters, why not just tell rex "anything but a single quote" ?

This strategy will save you a lot of time, improve readability, and make your extractions much more durable.

See regex: https://regex101.com/r/iz1eYY/1

0 Karma
Reply

darrenfuller
Contributor
‎11-19-2019 08:09 AM

Here is my attempt...

rex field=full_log "File\s\'(?<pathname>.+[\/\\])[^\\\/]+\'\schecksum\schanged\."

https://regex101.com/r/87ro6z/1

0 Karma
Reply

vikcee
Path Finder
‎10-30-2019 10:42 PM

@hbustam8063

You can also use this. 

...|rex " ( full_log: File\s\')(?<Path>(.*)+)[\/\\]\w+\.\w+'"

and to check your rex :- https://rubular.com/r/M2QDmpGvQr0Yts

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-30-2019 07:46 PM

Try ... | rex field=full_log "File '(?<path>.*)[\\\/]\w+\.\w+'". If that doesn't work, you may need more escape characters so try ...| rex field=full_log "File '(?<path>.*)[\\\\\/]\w+\.\w+'".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...