Splunk Search

Help using REGEX to get the File Path from a field at search time

mkersh
Engager

I'm attempting to categorize my splunk usage by source - using the logfile path as a rough way to group by application. So in my search, I'm retrieving the source - and then attempting to use REGEX to just show the filepath portion of the value.

Example...

This is my search query...

index=_internal source=license_usage type=Usage | eval MB=round((b/1024)/1024,2) | stats sum(MB) AS usage(mb) by h,s | sort 0 -usage(mb) | rename s as sourceDir | rename h as host

This is a sample of the values being returned for s

/cgu/prd/data/applogs/technical/uapesb02N1.PrdCguIccWesbAppM2.ServiceActivityEvent.log
/pi/prd/data/scv/CRODS_R3/logs/crods_r3.log

/cgu/prd/http/PrdCgu2Http/logs/access_log.2012-03-30

I've tried to use REX to remove the filename and just show the filepath portion using this...

| rex field=s mode=sed "s/(^.*)\(?!\)//g" |

but so far nothing seems to be working. Please help 🙂

Tags (2)
0 Karma
1 Solution

Damien_Dallimor
Ultra Champion

Does this do the trick ?

... | rex field=s "(?<filepath>(/\w+)+)/" | table filepath

View solution in original post

Damien_Dallimor
Ultra Champion

Does this do the trick ?

... | rex field=s "(?<filepath>(/\w+)+)/" | table filepath

mkersh
Engager

That worked perfectly. Thanks!

0 Karma

Damien_Dallimor
Ultra Champion

updated the original answer and verified that it works in Splunk.

0 Karma

mkersh
Engager

Thanks - that's closer... It is returning just the last path... so /pi/prd/data/scv/CRODS_R3/logs/crods_r3.log becomes /logs

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...