Solved: How do I use rex to extract filenames from UNC pat...

mrgibbon · ‎06-09-2016

Hi All,

I've looked at quite a few answers to this issue and none seem to work for me.

Data Sample:

\\BLAH01\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH01\Group\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH01\Groups\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\coreos\coreos.vmx
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.vmx
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.nvram
\\BLAH02\BLAH\x\BLAH\VMware\VMware_Horizon6\ACP!5C!s_BLAH.vmdk
\\BLAH02\BLAH\RAMS\$Research\BLAH\ACN\BLAH\Dataline\PARADOX.LCK
\\BLAH02\BLAH\Fil01\e_ev\Group\BLAH\Backups\Copy of BLAH\index.asp.LCK
\\BLAH02\BLAH\Fil01\d_ev\Users\BLAH\old pc files\BLAH\Local Settings\Application Data\Microsoft\Silverlight\mssl.lck

I just need a simple rex to pull out the filenames.
It should be easy, but it's taking me forever.
Can anyone help?

Thanks in advance.

javiergn · ‎06-10-2016

See if the following helps:

| rex field=yourfieldname "(?<filename>[^\\\]+$)"

Example:

| stats count | fields - count
| eval raw = "
\\BLAH01\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Group\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Groups\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\coreos\coreos.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.nvram;
\\BLAH02\BLAH\x\BLAH\VMware\VMware_Horizon6\ACP!5C!s_BLAH.vmdk;
\\BLAH02\BLAH\RAMS\$Research\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\Fil01\e_ev\Group\BLAH\Backups\Copy of BLAH\index.asp.LCK;
\\BLAH02\BLAH\Fil01\d_ev\Users\BLAH\old pc files\BLAH\Local Settings\Application Data\Microsoft\Silverlight\mssl.lck
"
| makemv delim=";" raw
| mvexpand raw
| rex field=raw "(?<filename>[^\\\]+$)"

Output: see picture

View solution in original post

javiergn · ‎06-10-2016

See if the following helps:

| rex field=yourfieldname "(?<filename>[^\\\]+$)"

Example:

| stats count | fields - count
| eval raw = "
\\BLAH01\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Group\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH01\Groups\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\coreos\coreos.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.vmx;
\\BLAH02\BLAH\documents\BLAH\Documents\Virtual Machines\Windows XP Professional x64 Edition\Windows XP Professional x64 Edition.nvram;
\\BLAH02\BLAH\x\BLAH\VMware\VMware_Horizon6\ACP!5C!s_BLAH.vmdk;
\\BLAH02\BLAH\RAMS\$Research\BLAH\ACN\BLAH\Dataline\PARADOX.LCK;
\\BLAH02\BLAH\Fil01\e_ev\Group\BLAH\Backups\Copy of BLAH\index.asp.LCK;
\\BLAH02\BLAH\Fil01\d_ev\Users\BLAH\old pc files\BLAH\Local Settings\Application Data\Microsoft\Silverlight\mssl.lck
"
| makemv delim=";" raw
| mvexpand raw
| rex field=raw "(?<filename>[^\\\]+$)"

Output: see picture

mrgibbon · ‎06-10-2016

That is 400 different types of awesome!
Thanks so much!
:)

mrgibbon · ‎06-10-2016

Is there a way of getting the path without the filename on the end? 🙂

javiergn · ‎06-10-2016

Yes, try this:

| rex field=yourfieldname "(?<path>.+)\\\(?<filename>[^\\\]+$)"

Keep in mind Splunk is replacing the double backslash with single backslash on my example, but the principle is the same anyway.

How do I use rex to extract filenames from UNC paths?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms