Solved: How do I use rex to extract filenames from UNC pat...

mrgibbon · ‎06-09-2016

Hi All,

I've looked at quite a few answers to this issue and none seem to work for me.

Data Sample:

\\BLAH01\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH01\Group\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH01\Groups\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\coreos\coreos.vmx
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.vmx
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.nvram
\\BLAH02\BLAH\x\BLAH\VMware\VMware_Horizon6\ACP!5C!s_BLAH.vmdk
\\BLAH02\BLAH\RAMS\$Research\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH02\BLAH\Fil01\e_ev\Group\BLAH\Backups\Copy of BLAH\index.asp.LCK
\\BLAH02\BLAH\Fil01\d_ev\Users\BLAH\old pc files\BLAH\Local Settings\Application Data\Microsoft\Silverlight\mssl.lck

I just need a simple rex to pull out the filenames.
It should be easy, but it's taking me forever.
Can anyone help?

Thanks in advance.

javiergn · ‎06-10-2016

See if the following helps:

| rex field=yourfieldname "(?<filename>[^\\\]+$)"

Example:

| stats count | fields - count
| eval raw = "
\\BLAH01\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Group\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Groups\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\coreos\coreos.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.nvram;
\\BLAH02\BLAH\x\BLAH\VMware\VMware_Horizon6\ACP!5C!s_BLAH.vmdk;
\\BLAH02\BLAH\RAMS\$Research\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\Fil01\e_ev\Group\BLAH\Backups\Copy of BLAH\index.asp.LCK;
\\BLAH02\BLAH\Fil01\d_ev\Users\BLAH\old pc files\BLAH\Local Settings\Application Data\Microsoft\Silverlight\mssl.lck
"
| makemv delim=";" raw
| mvexpand raw
| rex field=raw "(?<filename>[^\\\]+$)"

Output: see picture

View solution in original post

javiergn · ‎06-10-2016

See if the following helps:

| rex field=yourfieldname "(?<filename>[^\\\]+$)"

Example:

| stats count | fields - count
| eval raw = "
\\BLAH01\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Group\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Groups\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\coreos\coreos.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.nvram;
\\BLAH02\BLAH\x\BLAH\VMware\VMware_Horizon6\ACP!5C!s_BLAH.vmdk;
\\BLAH02\BLAH\RAMS\$Research\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\Fil01\e_ev\Group\BLAH\Backups\Copy of BLAH\index.asp.LCK;
\\BLAH02\BLAH\Fil01\d_ev\Users\BLAH\old pc files\BLAH\Local Settings\Application Data\Microsoft\Silverlight\mssl.lck
"
| makemv delim=";" raw
| mvexpand raw
| rex field=raw "(?<filename>[^\\\]+$)"

Output: see picture

mrgibbon · ‎06-10-2016

That is 400 different types of awesome!
Thanks so much!
:)

mrgibbon · ‎06-10-2016

Is there a way of getting the path without the filename on the end? 🙂

javiergn · ‎06-10-2016

Yes, try this:

| rex field=yourfieldname "(?<path>.+)\\\(?<filename>[^\\\]+$)"

Keep in mind Splunk is replacing the double backslash with single backslash on my example, but the principle is the same anyway.

How do I use rex to extract filenames from UNC paths?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!