Solved: How can I extract a file name from a file path?

JustRoot · ‎08-15-2017

Hello,

So currently, one of my indices logs has the file path which contains the file name but doesn't have a separate file name field. Is there any way to extract the filename? For example, if c:\users\user1\desktop\file.exe is my file path, I want to see file.exe.

Have:
c:\users\user1\desktop\file.exe

Want:
file.exe

Thanks

PS - I know there are other posts on this, but the solutions offered on those didn't work for me.

masonmorales · ‎08-15-2017

Try adding another backslash, like this:

 <your search> | rex field=Process_Name "(?P<file>[^\\\]+)$"

View solution in original post

masonmorales · ‎08-15-2017

Try adding another backslash, like this:

 <your search> | rex field=Process_Name "(?P<file>[^\\\]+)$"

JustRoot · ‎08-15-2017

This worked, thanks!

cpetterborg · ‎08-15-2017

I'm going to assume that you have the full path in a field and that you are doing a search time extraction with the rex command. Do something like this:

<your search> | rex field=path "(?P<file>[^\\\]+)$"

If you are using the source field, then just substitute source for path.

Edited. - needed an extra backslash in the rex.

JustRoot · ‎08-15-2017

This is the error I get using the exact solution you provided.

How can I extract a file name from a file path?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life