Solved: Extracting File Type

behymejt2012 · ‎05-06-2013

Hi Everyone,

Trying to extract the File Type from Files (ex: pst, xml, etc). I have tried to split it:

eval split =Split(File,".") | eval type=mvindex(split,1)

But a problem occurs when files like: "2012-12-08 15.36.01.jpg" show up due to the extra "." in the file name.

Is there any recommended rex, or method that can be used to pull the file type from the end of the File name instead of trying to split everything up.

Thanks

Ayn · ‎05-06-2013

If you read the docs, they have the following to say about the mvindex command:

For mvindex(mvfield, startindex, [endindex]), endindex is inclusive and optional; both startindex and endindex can be negative, where -1 is the last element.

So, eval type=mvindex(split,-1) should do the trick.

Otherwise, if you want a rex solution, you could do

... | rex field=File "(?<type>[^.]+)$"

View solution in original post

Ayn · ‎05-06-2013

If you read the docs, they have the following to say about the mvindex command:

For mvindex(mvfield, startindex, [endindex]), endindex is inclusive and optional; both startindex and endindex can be negative, where -1 is the last element.

So, eval type=mvindex(split,-1) should do the trick.

Otherwise, if you want a rex solution, you could do

... | rex field=File "(?<type>[^.]+)$"

Ayn · ‎05-06-2013

Sorry, like it says - you need to include a group name at the beginning. I updated my answer with correct syntax.

behymejt2012 · ‎05-06-2013

Thanks,

When I try and use the rex I get the following error (havent really used rex): "Error in 'rex' command: The regex '([^.]+)$' does not extract anything. It should specify at least one named group. Format: (?...)."

Extracting File Type

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...