Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the file extensions from Filename field values into a new field and filter against a static list?

jclemons7
Path Finder
‎08-27-2015 02:03 PM

Hello

I have a field called "Filename" and I'd like to attain the equivalent of SQL's Where FieldName IN (). The field has values as follows of course:

Test.txt
MyFiles.html
My Compiled Code.exe

I want to basically say "give me every FileName where extension in (txt,exe)". I'd also like to end up with a field called "extension" that does not include the preceding .

How I would do that in SQL is to parse the string after the first dot, then compare it to a list using the IN keyword..

Any help is greatly appreciated..

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎08-27-2015 02:58 PM

Hi jclemons7,

based on your provided example you can try something like this:

your base search here to get the list 
| rex field="Filename" "\.(?<extension>[^\.]*$)" 
| search extension="txt" OR extension="exe" | ...

This will create the extension field using the regex to match everything after the last . which is not a ., search for extension txt or exe and you can use it to process further down the Splunk search.

Hope this helps to get you started ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎08-27-2015 02:58 PM

Hi jclemons7,

based on your provided example you can try something like this:

your base search here to get the list 
| rex field="Filename" "\.(?<extension>[^\.]*$)" 
| search extension="txt" OR extension="exe" | ...

This will create the extension field using the regex to match everything after the last . which is not a ., search for extension txt or exe and you can use it to process further down the Splunk search.

Hope this helps to get you started ...

cheers, MuS

Reply
Solved! Jump to solution

mrgibbon
Contributor
‎07-14-2016 04:35 PM

Thanks MuS!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...