Solved: extract file name from the source using rex

raghunand · ‎10-13-2015

My regex to extract a file from a source field works: [^/]*(?=($|\?))

For example:

/nfs/tibcosoftware/Splunk/impactAnalysis/freight/TestProject/1.0-SNAPSHOT-31/defaultVars/folder/defaultVars.substvar

returns
defaultVars.substvar
See here - http://www.regexr.com/3bvp8

But when I try using this in the rex search command, I cannot get the same result. Why?

sourcetype=tibco_ia | rex field=source  "(?<iaFileName>.*)[^/]*(?=($|\?))" | table iaFileName

This returns full file path - /nfs/tibcosoftware/Splunk/impactAnalysis/freight/TestProject/1.0-SNAPSHOT-31/defaultVars/folder/defaultVars.substvar, but I expected to get defaultVars.substvar

Please advise?

somesoni2 · ‎10-13-2015

Try something like this

sourcetype=tibco_ia | rex field=source ".*/(?<iaFileName>.*)$" | table iaFileName

View solution in original post

somesoni2 · ‎10-13-2015

Try something like this

sourcetype=tibco_ia | rex field=source ".*/(?<iaFileName>.*)$" | table iaFileName

varad_joshi · ‎06-29-2016

This is the simplest answer on this query so far.

extract file name from the source using rex

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

extract file name from the source using rex

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR