I'm working with a custom Windows EventLog that contains successful file upload events. I'm attempting to extract just the filenames from the full UNC path that is listed in the event. Most of the paths are about 3 folders deep, like this:
Message=File received from user: user1 - file name: \\server\category\type\loca-tion\filename.zip size: 1157112 date: 5/17/2011 4:48:50 PM
Message=File received from user: user1 - file name: \\server\category\type\lo-cation\filename.zip size: 1157112 date: 5/17/2011 4:48:50 PM
Message=File received from user: user1 - file name: \\server\category\type\location\filename.zip size: 1157112 date: 5/17/2011 4:48:50 PM
The field extraction in Splunk (we're stuck at 4.0.11 for now and won't be able to upgrade to 4.2 for at least a month), gives me a regex of this:
(?im)^(?:[^\-]*\-){4}\w+\\(?P<FIELDNAME>[^ ]*)[ ]
Unfortunately, this catches all the files in folders with hyphens, but misses all files in folders with no hyphen. What needs to be removed from this regex so it catches ALL of the files from the above sample structures?
--edit--
For some reason the slashes all seem to be missing from my post. They show up in the preview, but most of them in the UNC paths are missing in the actual post. As a result, what I'm asking about probably makes no sense. Do we have to escape slashes in the posts here to get them to show up?
Thanks!
Manually defining such an extraction might be a better solution here:
props.conf
EXTRACT-filename = file name:\s+(?<file_path>\\\\\S+?(?<filename>[^\\\s]+))\s+
to have all kinds of characters to show up in the post, you can simply select the text and click on the "code" formatting in the menubar.
Manually defining such an extraction might be a better solution here:
props.conf
EXTRACT-filename = file name:\s+(?<file_path>\\\\\S+?(?<filename>[^\\\s]+))\s+
Ah, that works much better. Thank you!