How to match folders only from file path search re...

erictodor · ‎05-15-2017

I have a search which produces c:\folder\folder\folder\folder\file.exe as results. I want to remove file.exe so that I'm left with c:\folder\folder\folder\folder. It's unknown how many subfolders may exist in my search results. Any help with the regex syntax would be great.

Thank you

gcusello · ‎05-15-2017

Hi erictodor,
you can use a regex like this

your_search | rex field=your_field "(?<path>.*)\\\w*\.\w+$"

Bye.
Giuseppe

erictodor · ‎05-15-2017

That didn't work. I managed to make this regex work in a simulator but I'm not sure why I can't get the syntax to work in Splunk

\.+\w+\' (works in simulator)

"(?<'path'>)\.+\w+\" (attempt at Splunk regex logic)

gcusello · ‎05-16-2017

try with

your_search | rex field=your_field "(?<path>.*)\\\\\w*\.\w+$" | table path

this is an example that runs on my Splunk

index=_internal 
| head 1 
| eval my_field="c:\folder\folder\folder\folder\file.exe" 
| rex field=my_field "(?<path>.*)\\\\\w*\.\w+$" 
| table path

result is c:\folder\folder\folder\folder
Bye.
Giuseppe

How to match folders only from file path search results by using regular expression?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms