Solved: Re: extract basename from path

deenadp · ‎02-12-2016

Hi,
Im trying to extract basename that's is abc.log from the below

D:\Program Files\User\abc.log

using | eval source= replace(source, ".*/", "")
or

| eval source= replace(source, ".*\.", "")

but this is printing the full path. can you please suggest a solution

somesoni2 · ‎02-12-2016

Try any of these (first line is to generate the dummy rows, replace it with your search)

| gentimes start=-1 | eval source="D:\Program Files\User\abc.log" | table source 
| rex field=source "\\\(?<filename>\w+\.\w+)$" 
| eval filename2=replace(source,"([^\\\]+\\\)","")

View solution in original post

judevine · ‎09-09-2021

A very late reply. But this works very well to get the base path:

| makeresults
| eval path="/opt/splunk/etc/system/local/inputs.conf"
| eval base_path=replace(path,"\/[^\/]+\.[^\/]+$","")
| table path base_path

bwlm · ‎12-02-2020

For just getting the basename / filename from a file path (e.g. executable file from Windows Security 4688 - new process event) I would just use the Splunk built-in Multivalue eval functions "split" and "mvindex" commands. If regex can be avoided for simplicity, I would suggest that - unless it is the best tool for the job.

| eval ExeName=mvindex(split(New_Process_Name,"\\"),-1)

somesoni2 · ‎02-12-2016

Try any of these (first line is to generate the dummy rows, replace it with your search)

| gentimes start=-1 | eval source="D:\Program Files\User\abc.log" | table source 
| rex field=source "\\\(?<filename>\w+\.\w+)$" 
| eval filename2=replace(source,"([^\\\]+\\\)","")

deenadp · ‎02-15-2016

Yes, File name always appears after ":D\Program Files\User\" and what I want is only the strings before "_00459E5E.log" from the file name.

i.e., "EXTRACT_VP_IN_SVN_TEST_USER"

deenadp · ‎02-12-2016

Hi, belowone worked fine.

  | eval filename2=replace(source,"([^\\\]+\\\)","")

However my log file is like

D:\Program Files\User\"EXTRACT_VP_IN_SVN_TEST_USER_00459E5E.log

It prints "EXTRACT_VP_IN_SVN_TEST_USER_00459E5E.log". I need only EXTRACT_VP_IN_SVN_TEST_USER in a field. any ideas are much appreciated

somesoni2 · ‎02-12-2016

Is there any pattern for your file names that can be used to drop thosse extra characters??

deenadp · ‎02-15-2016

yes, log file always appears after "D:\Program Files\User"
and File name always comes after "EXTRACT_VP_IN" and before

"_00459E5E.log"

What I need is only "SVN_TEST_USER"

sk314 · ‎02-12-2016

You should try Field Extractionsin Splunk : http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX

For the example, you could try something like this:

| rex field=source "(?<=\\\)(?[^\\\]+(?=.log).log)"

sk314 · ‎02-12-2016

@somesoni2 provides a much better regex (unsurprisingly) and also that would work for any file extension. I will now go ahead and drown in my sorrow.

extract basename from path

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation