- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can you help me extract a filename from a file...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me extract a filename from a filepath in a field transformation?
I have a path (and a variable file_path) that looks like this:
C:\\\\Program Files\\\\theapp\\\\the app\\\\Tools\\\\IR\\\\somefolder\\\\somefile.exe
And I'm trying to retrieve the file name somefile.exe
I created a Field transformation with the following info, but I'm not getting the field file_name to populate
name: file_name
Regular expression: (?P<file_name>[^\\]+)$
Format:
Source Key: file_path
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try below transform as it takes very less steps:-
\D*\(?\w*.\w*)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, right, when putting it into files, you need to adjust the backslashes; use this instead:
In props.conf:
[YourSourcetypeHere]
REPORT-file_name_FROM_file_path
In transforms.conf:
[file_name_FROM_file_path]
REGEX = ([^\\]+)$
SOURCE_KEY = file_path
FORMAT = file_name::$1
Capitalization is CRITICAL. Also, note that you probably need REPORT- (for search-time extractions) instead of TRANSFORMS- (for index-time extractions) because I am pretty sure that the file_path field is not an index-time field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does it make a difference if I'm doing this on the search head using the field transformation option under "Fields"? My Splunk searchhead is in the cloud so I don't have access to the files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, it should work exactly the same. These settings will do what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval file_path=" C:\\\\\\\\Program Files\\\\\\\\theapp\\\\\\\\the app\\\\\\\\Tools\\\\\\\\IR\\\\\\\\somefolder\\\\\\\\somefile.exe"
| rex field=file_path "(?<file_name>[^\\\]+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The thing is my regex works when I test it, but it doesn't work when I create the file transformation. For example, when I type yours in I get:
Encountered the following error while trying to update: Regex: missing terminating ] for character class
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you putting this into transforms.conf? If so, then you need to remove one of the back-slashes, like this:
REGEX = (?<file_name>[^\\]+)$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @mkarimi17,
I just tested this out using the event source=C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log.
I needed 4 backslashes in the regex to get it working:
source="C:\\Program Files\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log"
| rex field=source "(?<file_name>[^\\\\]+)$"
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
