- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I split a string which contains a path so I...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have several thousand events with a path such as d:\RNREDINFFTP01-AVREDINFWFS01\ebtest1\foo\bar\filename2.txt. The folder name is not static - I'm using a fschange monitor to pull the events so the root directory RNREDINFFTP01-AVREDINFWFS01 and the tertiary directories are not static.
I want to show the size of the files based on the first or second directory, depending on the users need for detail. For instance.
d:\RNREDINFFTP01-AVREDINFWFS01 100 files 100mb
OR
d:\RNREDINFFTP01-AVREDINFWFS01\ebtest1 50 files 50mb
d:\RNREDINFFTP01-AVREDINFWFS01\ebtest2 40 files 40mb
d:\RNREDINFFTP01-AVREDINFWFS01\ebtest3 10 files 10mb
I doubt I'll ever go past the 2nd directory. I've tried using rex and can't seem to get the groups right. If I was using vbscript or powershell I'd simply call split based on \ and then group by the first or the first+second directories. What am I missing?? ...and... what is the best way to tackle this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
... rex field=source "(?<PathPrefix>(?:[^\\\]+\\\){2})"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to adapt this for a UNIX path, and I can't tell why it's not working.
I have is
rex field=uri "(?<PathPrefix>(?:[^/]+/){2})"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, it turns out you need an additional escape character like this (fixed in original answer, too):
... rex field=source "(?<PathPrefix>(?:[^\\\]+\\\){2})"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did it! Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That regex doesn't compile.
If you meant to use a non-capturing group it should be (?:, not (?;.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks but I'm getting a different error now, Error in 'rex' command: Encountered the following error while compiling the regex '(?(?:[^]+){2})': Regex: missing terminating ] for character class .
I don't see any issues, there's matching Parens and Braces. Any ideas?
Thanks - Eric
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, thank you for catching the typo (stupid dumb-phone keyboard). It is fixed now.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
