Splunk Search

How to edit my current rex search to extract path names?

Federica_92
Communicator

Hi everyone,

I have a problem building an SPL query with the regular expression:

This is an example of my data:
These are all pathname

 root/home/1/2/3/4/5/6/
 root/home/1/2/3/4
 root/home/0/9/11
 root/home/0/9/22

and so on...

I would like edit my data in the base of one specific folder, so for example, if the folder is 2, I would like to obtain:

 root/home/1/*
 root/home/1/*
 root/home/0/9/11
 root/home/0/9/22

If the folder was home my data are:

root/*

Actually, all my pathname are raw data, so to extract them I use this search, that's work fine:

  index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | fields path_d

How can I create a new search, using the results of this previous search, that do what I have ask before?

Please, let me know.

Tags (4)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

for "2":

index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/2/.*%/*%" | stats values(new_path)

for "home":

index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/home/.*%/*%" | stats values(new_path)

View solution in original post

woodcock
Esteemed Legend

Like this:

for "2":

index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/2/.*%/*%" | stats values(new_path)

for "home":

index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/home/.*%/*%" | stats values(new_path)

Federica_92
Communicator

thank you : )

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I'd like to confirm what it is that you want to do by asking some questions:

Question 1:
Do your events only contain the path that you want, or are you getting the path as you describe in the first code box from the extracted values from your rex command (in the path_d result)?

Question 2:
Would you like the final output of the search from the events in the first box to look exactly like the results in the second box (specifically that you also have 4 entries)?

Question 3:
Do you only want one result as you show in the third box (only one event), or would you want four evants all the same (your results seem to be inconsistent if not)?

Question 4:
Do you want the results that don't match your criteria (e.g. 2 or home subdirectories) to be unchanged?

0 Karma

Federica_92
Communicator

Question1 :
To get the path, I'm using the rex command, and they are: path_d results.

Question2 :
I can have infinite entry, like 10000 of events, in base of the parameters of the user, I would like wildcard a specific parameter. And I would like have the results of only the second box. In this case the parameter was 2

Question 3:
Yes, I would like only one results, so dedup the copy, to have consistent data.
I have written 2 equals pathname in this example, to make understand at the other people

Question4:
Yes, if they don't match my criteria(parameter) they have to stay unchange

Thank you so much

0 Karma

Federica_92
Communicator

For now, I have created 2 queries, one that write all the results that are not changing, and another one that write the results that are changing:

  search: mvc.tokenSafe("index=main File:read | rex \"\\s\\-\\s\\[(?<path_dd>.+)\ $mytoken2$\" | dedup path_dd | eval path=path_dd+\"*\" | sort by path| table path | outputlookup output.csv append=True")
0 Karma

fdi01
Motivator

you can explaint your lab correctly?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...