Splunk Search

regex path without filename from source

Moritz
Explorer

Hallo,
I fruitless tried to extract the path from the source field. My latest test is:

source="C:\\Users\\...\\...\\Logs\\*"   | rex field=source "(?<path>.*)\\.*$"
Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Try this

| rex field=source "(?<path>.*)[//\\\]+.[a-zA-Z.]*"

View solution in original post

somesoni2
Revered Legend

Try this

| rex field=source "(?<path>.*)[//\\\]+.[a-zA-Z.]*"

Moritz
Explorer

@rahulroy_splunk: this is what i was searching for. thank you! thank you somesoni2 for your help.

0 Karma

rahulroy_splunk
Path Finder

This will also work.
| rex field=source "(?.*)[//\\\]"

somesoni2
Revered Legend

I am still not clear with the requirement. Would it be possible for your provide example. like for "C:\test\test9\some9sample.log", result should be "C:\test\test9"

0 Karma

Moritz
Explorer

my backslashes were deleted..

i'd like to accept in the filename all characters except the backslash. so i thougt for something like [\\][^\\]* for the last part. (i dont really understand [//\\\].)

0 Karma

somesoni2
Revered Legend

Could you be little more specific? probably an example?

0 Karma

Moritz
Explorer

Thank you.
A little bit better version is:
rex field=source "(?.)[//\\\]+.[a-zA-Z.0-9]"

How is it possible to find all characters except \ in the latter part?

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...