Splunk Search

regex path without filename from source

Moritz
Explorer

Hallo,
I fruitless tried to extract the path from the source field. My latest test is:

source="C:\\Users\\...\\...\\Logs\\*"   | rex field=source "(?<path>.*)\\.*$"
Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Try this

| rex field=source "(?<path>.*)[//\\\]+.[a-zA-Z.]*"

View solution in original post

somesoni2
Revered Legend

Try this

| rex field=source "(?<path>.*)[//\\\]+.[a-zA-Z.]*"

Moritz
Explorer

@rahulroy_splunk: this is what i was searching for. thank you! thank you somesoni2 for your help.

0 Karma

rahulroy_splunk
Path Finder

This will also work.
| rex field=source "(?.*)[//\\\]"

somesoni2
Revered Legend

I am still not clear with the requirement. Would it be possible for your provide example. like for "C:\test\test9\some9sample.log", result should be "C:\test\test9"

0 Karma

Moritz
Explorer

my backslashes were deleted..

i'd like to accept in the filename all characters except the backslash. so i thougt for something like [\\][^\\]* for the last part. (i dont really understand [//\\\].)

0 Karma

somesoni2
Revered Legend

Could you be little more specific? probably an example?

0 Karma

Moritz
Explorer

Thank you.
A little bit better version is:
rex field=source "(?.)[//\\\]+.[a-zA-Z.0-9]"

How is it possible to find all characters except \ in the latter part?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...