How to match folders only from file path search re...

erictodor · ‎05-15-2017

I have a search which produces c:\folder\folder\folder\folder\file.exe as results. I want to remove file.exe so that I'm left with c:\folder\folder\folder\folder. It's unknown how many subfolders may exist in my search results. Any help with the regex syntax would be great.

Thank you

gcusello · ‎05-15-2017

Hi erictodor,
you can use a regex like this

your_search | rex field=your_field "(?<path>.*)\\\w*\.\w+$"

Bye.
Giuseppe

erictodor · ‎05-15-2017

That didn't work. I managed to make this regex work in a simulator but I'm not sure why I can't get the syntax to work in Splunk

\.+\w+\' (works in simulator)

"(?<'path'>)\.+\w+\" (attempt at Splunk regex logic)

gcusello · ‎05-16-2017

try with

your_search | rex field=your_field "(?<path>.*)\\\\\w*\.\w+$" | table path

this is an example that runs on my Splunk

index=_internal 
| head 1 
| eval my_field="c:\folder\folder\folder\folder\file.exe" 
| rex field=my_field "(?<path>.*)\\\\\w*\.\w+$" 
| table path

result is c:\folder\folder\folder\folder
Bye.
Giuseppe

How to match folders only from file path search results by using regular expression?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...