- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- I need to seperate the users infected drive, I am ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to seperate the users infected drive, I am getting a field name with users infected drive path i.e. C:/ , D:/, E:/.. need to seperate in results that C:/ in internal drive D:/, E:/ External drive
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right, some examples of the fields you have would help just so we know how to best answer this for you, but here's one way.
If you have a field "Path" that consists of items like you describe, for instance "C:\myfolder\mypath\filename.txt", you can rex out of that the first letter to get the drive. That would be something like
... | rex field=Path "^(?<drive>\w)"
That rex says to look inside the existing field "Path" for the first "word character" (e.g. letters), and assign that to the field "drive".
Now that we have drive, we can do things with it.
... | rex field=Path "^(?<drive>\w)" | eval DriveType = if(drive="C", "Internal", "External")
Once that's run, you should have a "DriveType" field that is the word "Internal" if it's the C: drive, and "External" if anything else.
For a bit more complex logic, you can use case, too (Docs for case here). For instance, C and E Internal, D is "CD" and all others "External":
... | rex field=Path "^(?<drive>\w)"
| eval DriveType = case(drive="C", "Internal", drive="D", "CD", drive="E" "Internal", 1==1, "External")
And of course, for any of those you can do things like ... | stats count by drive or whatever else you'd like.
Happy Splunking!
-Rich
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right, some examples of the fields you have would help just so we know how to best answer this for you, but here's one way.
If you have a field "Path" that consists of items like you describe, for instance "C:\myfolder\mypath\filename.txt", you can rex out of that the first letter to get the drive. That would be something like
... | rex field=Path "^(?<drive>\w)"
That rex says to look inside the existing field "Path" for the first "word character" (e.g. letters), and assign that to the field "drive".
Now that we have drive, we can do things with it.
... | rex field=Path "^(?<drive>\w)" | eval DriveType = if(drive="C", "Internal", "External")
Once that's run, you should have a "DriveType" field that is the word "Internal" if it's the C: drive, and "External" if anything else.
For a bit more complex logic, you can use case, too (Docs for case here). For instance, C and E Internal, D is "CD" and all others "External":
... | rex field=Path "^(?<drive>\w)"
| eval DriveType = case(drive="C", "Internal", drive="D", "CD", drive="E" "Internal", 1==1, "External")
And of course, for any of those you can do things like ... | stats count by drive or whatever else you'd like.
Happy Splunking!
-Rich
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the answer but my query is something different
have the below paths under field "file_name"
C:\Users\mpa228\Desktop\Zonerich.7035.exe
D:\DONATION LIST 2017\DONATION LIST 2017.exe
D:\KINGSTON (8GB).lnk
D:\system3_.exe
E:\UPC PICS.exe
E:\WD Smartware Pro Free Trial.exe
I want to calculate the users infected with file past "C:\" are internal infections and remaining drives as external, because in my organization there is only 1 C drive is internal remaining as removable
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why Do I get the drive "c" when I put it in Internal drive, but not the "C"
is it because of drive letter is in CAPS
"C" is goint to internal, however
"c" is going to External
please help me in this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure.
Once again the eval command and all it's myriad functions will help you. In any of the cases (the "if" or "case"), you simply need to eval the new field drive to a lowercase version of itself between extracting it (the rex ) and using it. Like this.
index=Y sourcetype=F
| rex field=file_name "^(?<drive>\w)"
| eval drive = lower(drive)
| eval DriveType = if(drive="c", "Internal", "External")
Notice I also changed the eval for the DriveType eval to have the right case too.
Give that a shot - if you have problems, paste in your actual search and I/we can fix it up for you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the same.
I tried doing | eval DriveType = if(drive="c" OR drive="C", "Internal", "External")
It worked for me.
Thank you again for the help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great, my second code should work (With one tiny change to reflect your field name...)
index=Y sourcetype=F
| rex field=file_name "^(?<drive>\w)"
| eval DriveType = if(drive="C", "Internal", "External")
Obviously, change the first line to pull back your data - I don't know what your search is to get the above output, so you'll have to add that. The rest should work now.
EDIT: Gosh, 0 for 2 today, dumb mistakes. Editing to my SECOND piece of code should do it. Run-anywhere proof of concept:
| makeresults
| eval file_name="C:\Users\mpa228\Desktop\Zonerich.7035.exe"
| fields - _time
| rex field=file_name "(?<drive>\w*)"
| eval DriveType = if(drive="C", "Internal", "External")
Change the string in the second line to the others, you'll see it working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you rich, its working now.
can you help me in the same to find out rex of F drive which is our share drive so that I can filter out internal, share and external drive in the same query.
thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Hopefully even on my phone since the power just went out.
Change the "eval if" to
| eval DriveType = case(drive="C", "Internal", drive="F", "Share", 1==1, "External")
Try that
-Rich
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you So much Rich.. its working....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wonderful. Could you be so kind as to click "Accept"? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't forget to upvote and click Accept.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
