I'm attempting to categorize my splunk usage by source - using the logfile path as a rough way to group by application. So in my search, I'm retrieving the source - and then attempting to use REGEX to just show the filepath portion of the value.
Example...
This is my search query...
index=_internal source=license_usage type=Usage | eval MB=round((b/1024)/1024,2) | stats sum(MB) AS usage(mb) by h,s | sort 0 -usage(mb) | rename s as sourceDir | rename h as host
This is a sample of the values being returned for s
/cgu/prd/data/applogs/technical/uapesb02N1.PrdCguIccWesbAppM2.ServiceActivityEvent.log
/pi/prd/data/scv/CRODS_R3/logs/crods_r3.log
/cgu/prd/http/PrdCgu2Http/logs/access_log.2012-03-30
I've tried to use REX to remove the filename and just show the filepath portion using this...
| rex field=s mode=sed "s/(^.*)\(?!\)//g" |
but so far nothing seems to be working. Please help 🙂
Does this do the trick ?
... | rex field=s "(?<filepath>(/\w+)+)/" | table filepath
Does this do the trick ?
... | rex field=s "(?<filepath>(/\w+)+)/" | table filepath
That worked perfectly. Thanks!
updated the original answer and verified that it works in Splunk.
Thanks - that's closer... It is returning just the last path... so /pi/prd/data/scv/CRODS_R3/logs/crods_r3.log becomes /logs