Solved: regex path without filename from source

Moritz · ‎02-03-2014

Hallo,
I fruitless tried to extract the path from the source field. My latest test is:

source="C:\\Users\\...\\...\\Logs\\*"   | rex field=source "(?<path>.*)\\.*$"

somesoni2 · ‎02-03-2014

Try this

| rex field=source "(?<path>.*)[//\\\]+.[a-zA-Z.]*"

View solution in original post

somesoni2 · ‎02-03-2014

Try this

| rex field=source "(?<path>.*)[//\\\]+.[a-zA-Z.]*"

Moritz · ‎02-05-2014

@rahulroy_splunk: this is what i was searching for. thank you! thank you somesoni2 for your help.

rahulroy_splunk · ‎02-04-2014

This will also work.
| rex field=source "(?.*)[//\\\]"

somesoni2 · ‎02-04-2014

I am still not clear with the requirement. Would it be possible for your provide example. like for "C:\test\test9\some9sample.log", result should be "C:\test\test9"

Moritz · ‎02-04-2014

my backslashes were deleted..

i'd like to accept in the filename all characters except the backslash. so i thougt for something like [\\][^\\]* for the last part. (i dont really understand [//\\\].)

somesoni2 · ‎02-04-2014

Could you be little more specific? probably an example?

Moritz · ‎02-04-2014

Thank you.
A little bit better version is:
rex field=source "(?.)[//\\\]+.[a-zA-Z.0-9]"

How is it possible to find all characters except \ in the latter part?

regex path without filename from source

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

regex path without filename from source

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25