Splunk Search

extract file name from the source using rex

Explorer

My regex to extract a file from a source field works: [^/]*(?=($|\?))

For example:

/nfs/tibcosoftware/Splunk/impactAnalysis/freight/TestProject/1.0-SNAPSHOT-31/defaultVars/folder/defaultVars.substvar

returns
defaultVars.substvar
See here - http://www.regexr.com/3bvp8

But when I try using this in the rex search command, I cannot get the same result. Why?

sourcetype=tibco_ia | rex field=source  "(?<iaFileName>.*)[^/]*(?=($|\?))" | table iaFileName

This returns full file path - /nfs/tibcosoftware/Splunk/impactAnalysis/freight/TestProject/1.0-SNAPSHOT-31/defaultVars/folder/defaultVars.substvar, but I expected to get defaultVars.substvar

Please advise?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try something like this

sourcetype=tibco_ia | rex field=source ".*/(?<iaFileName>.*)$" | table iaFileName

View solution in original post

SplunkTrust
SplunkTrust

Try something like this

sourcetype=tibco_ia | rex field=source ".*/(?<iaFileName>.*)$" | table iaFileName

View solution in original post

Communicator

This is the simplest answer on this query so far.

0 Karma