Re: To remove complete directory if a folder strut...

DataOrg · ‎03-08-2022

How to completely remove/not select the directory path if it "remote" in its folder structure

my regex --- specification|Cu Req|Cu Spec|02 - Regulatory|\\*\\remote||

directory struture

/specification/Cu Req/remote/value --- remove complete path

/specification/system/val_remote/cmd/system - remove since its has word as "remote"

/specification/system/value/remote--- remove the path

/specification /system/value/cmd/sys32 - consider

kamlesh_vaghela · ‎03-09-2022

@DataOrg

Can you please share some example values ( as per your use cases) and expected output?

KV

🙂

ITWhisperer · ‎03-08-2022

If I understand correctly, you only want events where the directory field does not contain "remote"?

| regex directory!="remote"

DataOrg · ‎03-08-2022

Need to remove the path before forming up in the file.

https://regex101.com/r/xcKiSe/1

ITWhisperer · ‎03-08-2022

I am not clear what you are trying to do here. Do you want to remove "remote" from a field, or remove events with "remote" in a field or something else?

DataOrg · ‎03-08-2022

@ITWhisperer i am writing a script which only the specific directory is considered.

for example the folder structure is formed like this /spec/abs/remote so while forming when remote is there in a directory it should not write the directory

ITWhisperer · ‎03-08-2022

What has this to do with splunk?

What language are you writing the script in?

Where does the file path come from?

How to completely remove/not select the directory path if it "remote" in its folder structure?

blacklist

field extraction

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!