Splunk Search

Can you help me extract a filename from a filepath in a field transformation?

mkarimi17
Path Finder

I have a path (and a variable file_path) that looks like this:

C:\\\\Program Files\\\\theapp\\\\the app\\\\Tools\\\\IR\\\\somefolder\\\\somefile.exe

And I'm trying to retrieve the file name somefile.exe

I created a Field transformation with the following info, but I'm not getting the field file_name to populate

name: file_name

Regular expression: (?P<file_name>[^\\]+)$

Format:

Source Key: file_path

0 Karma

kushagra9120
Explorer

You can try below transform as it takes very less steps:-

\D*\(?\w*.\w*)

0 Karma

woodcock
Esteemed Legend

Ah, right, when putting it into files, you need to adjust the backslashes; use this instead:

In props.conf:

[YourSourcetypeHere]
REPORT-file_name_FROM_file_path

In transforms.conf:

[file_name_FROM_file_path]
REGEX = ([^\\]+)$
SOURCE_KEY = file_path
FORMAT = file_name::$1

Capitalization is CRITICAL. Also, note that you probably need REPORT- (for search-time extractions) instead of TRANSFORMS- (for index-time extractions) because I am pretty sure that the file_path field is not an index-time field.

0 Karma

mkarimi17
Path Finder

Does it make a difference if I'm doing this on the search head using the field transformation option under "Fields"? My Splunk searchhead is in the cloud so I don't have access to the files.

0 Karma

woodcock
Esteemed Legend

No, it should work exactly the same. These settings will do what you need.

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval file_path=" C:\\\\\\\\Program Files\\\\\\\\theapp\\\\\\\\the app\\\\\\\\Tools\\\\\\\\IR\\\\\\\\somefolder\\\\\\\\somefile.exe"
| rex field=file_path "(?<file_name>[^\\\]+)$"
0 Karma

mkarimi17
Path Finder

The thing is my regex works when I test it, but it doesn't work when I create the file transformation. For example, when I type yours in I get:

Encountered the following error while trying to update: Regex: missing terminating ] for character class
0 Karma

woodcock
Esteemed Legend

Are you putting this into transforms.conf? If so, then you need to remove one of the back-slashes, like this:

REGEX = (?<file_name>[^\\]+)$
0 Karma

whrg
Motivator

Hello @mkarimi17,

I just tested this out using the event source=C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log.

I needed 4 backslashes in the regex to get it working:

source="C:\\Program Files\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log"
| rex field=source "(?<file_name>[^\\\\]+)$"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...