Splunk Search

What regex to use to drop everything after the last occurrence of a symbol?

jpfrancetic
Path Finder

Hi Splunk Community,

I am working on a regex to filter the sources I am getting from logs. I am trying to drop everything after the last "/" in the field but I am having problems filtering.

My current sources look something like: /db2audit/fs01/db2inst1/extract/abc123/file.del

I am trying to filter it to look like: /db2audit/fs01/db2inst1/extract/abc123

Thanks in advance!

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this command.

| rex mode=sed field=foo "s/(.*)\/.*?$/\1/"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jpfrancetic,

if the first part is fixed in the first four folders, you could extract something like this:

| rex field=source "^(?<path>(\/\w+){4}).*(?<filename>\/\w+\.\w+$)"

that you can test at https://regex101.com/r/j7XgJ5/1

Ciao.

Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this command.

| rex mode=sed field=foo "s/(.*)\/.*?$/\1/"
---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jpfrancetic,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...