Solved: extract basename from path

deenadp · ‎02-12-2016

Hi,
Im trying to extract basename that's is abc.log from the below

D:\Program Files\User\abc.log

using | eval source= replace(source, ".*/", "")
or

| eval source= replace(source, ".*\.", "")

but this is printing the full path. can you please suggest a solution

somesoni2 · ‎02-12-2016

Try any of these (first line is to generate the dummy rows, replace it with your search)

| gentimes start=-1 | eval source="D:\Program Files\User\abc.log" | table source 
| rex field=source "\\\(?<filename>\w+\.\w+)$" 
| eval filename2=replace(source,"([^\\\]+\\\)","")

View solution in original post

judevine · ‎09-09-2021

A very late reply. But this works very well to get the base path:

| makeresults
| eval path="/opt/splunk/etc/system/local/inputs.conf"
| eval base_path=replace(path,"\/[^\/]+\.[^\/]+$","")
| table path base_path

bwlm · ‎12-02-2020

For just getting the basename / filename from a file path (e.g. executable file from Windows Security 4688 - new process event) I would just use the Splunk built-in Multivalue eval functions "split" and "mvindex" commands. If regex can be avoided for simplicity, I would suggest that - unless it is the best tool for the job.

| eval ExeName=mvindex(split(New_Process_Name,"\\"),-1)

somesoni2 · ‎02-12-2016

Try any of these (first line is to generate the dummy rows, replace it with your search)

| gentimes start=-1 | eval source="D:\Program Files\User\abc.log" | table source 
| rex field=source "\\\(?<filename>\w+\.\w+)$" 
| eval filename2=replace(source,"([^\\\]+\\\)","")

deenadp · ‎02-15-2016

Yes, File name always appears after ":D\Program Files\User\" and what I want is only the strings before "_00459E5E.log" from the file name.

i.e., "EXTRACT_VP_IN_SVN_TEST_USER"

deenadp · ‎02-12-2016

Hi, belowone worked fine.

  | eval filename2=replace(source,"([^\\\]+\\\)","")

However my log file is like

D:\Program Files\User\"EXTRACT_VP_IN_SVN_TEST_USER_00459E5E.log

It prints "EXTRACT_VP_IN_SVN_TEST_USER_00459E5E.log". I need only EXTRACT_VP_IN_SVN_TEST_USER in a field. any ideas are much appreciated

somesoni2 · ‎02-12-2016

Is there any pattern for your file names that can be used to drop thosse extra characters??

deenadp · ‎02-15-2016

yes, log file always appears after "D:\Program Files\User"
and File name always comes after "EXTRACT_VP_IN" and before

"_00459E5E.log"

What I need is only "SVN_TEST_USER"

sk314 · ‎02-12-2016

You should try Field Extractionsin Splunk : http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX

For the example, you could try something like this:

| rex field=source "(?<=\\\)(?[^\\\]+(?=.log).log)"

sk314 · ‎02-12-2016

@somesoni2 provides a much better regex (unsurprisingly) and also that would work for any file extension. I will now go ahead and drown in my sorrow.

extract basename from path

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life