https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-from-values-with-the-source-field/m-p/636348#M108848 <P>Hello Vishal,</P><P>is the folder structure always the same? If yes, this should work:</P><LI-CODE lang="markup">| rex field=source "Daily Reporting\\(?&lt;business_unit&gt;[^\\]+)"</LI-CODE><P>If not you could use this regex:</P><LI-CODE lang="markup">\\\\[^\\]+\\[^\\]+\\[^\\]+\\[^\\]+\\[^\\]+\\(?&lt;business_unit&gt;[^\\]+)</LI-CODE><P>&nbsp;</P><P>If you want to include this to props.conf and transforms.conf try something like this:</P><P>props.conf</P><LI-CODE lang="markup">[sourcetype] REPORT-my_fields = business_unit</LI-CODE><P>transforms.conf</P><LI-CODE lang="markup">[business_unit] SOURCE_KEY = source REGEX = one of the above mentioned regex</LI-CODE><P>&nbsp;</P><P>If this helps please upvote my answer.</P><P>Best regards,</P><P>Vincent</P> Tue, 28 Mar 2023 15:39:49 GMT vsommer 2023-03-28T15:39:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-from-values-with-the-source-field/m-p/636344#M108846 <P>I've created fields from regex expressions before but never from the source field.</P> <P data-unlink="true">This is an example of the value within the source field:<BR />&nbsp;\\host0000\Test\IT Information\ Data Files\Daily Reporting\Business Unit\&nbsp;</P> <P data-unlink="true">I would like to extract the business unit value and call it Business Unit.</P> <P data-unlink="true">I have access to create a props.conf file.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Can you help?</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Kind regards,</P> <P data-unlink="true">Vishal</P> Tue, 28 Mar 2023 16:23:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-from-values-with-the-source-field/m-p/636344#M108846 vishalduttauk 2023-03-28T16:23:17Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-from-values-with-the-source-field/m-p/636346#M108847 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/228513">@vishalduttauk</a>,</P><P>if the number ot subfolders in path is fixed you can use this regex in a search:</P><LI-CODE lang="markup">| rex field=source "\\(\\[^\\]+){5}\\(?&lt;business_unit&gt;[^\\]+)"</LI-CODE><P>if instead you want to use this regex in a field extraction, you can use:</P><LI-CODE lang="markup">\\(\\[^\\]+){5}\\(?&lt;business_unit&gt;[^\\]+) in source</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 28 Mar 2023 15:35:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-from-values-with-the-source-field/m-p/636346#M108847 gcusello 2023-03-28T15:35:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-from-values-with-the-source-field/m-p/636348#M108848 <P>Hello Vishal,</P><P>is the folder structure always the same? If yes, this should work:</P><LI-CODE lang="markup">| rex field=source "Daily Reporting\\(?&lt;business_unit&gt;[^\\]+)"</LI-CODE><P>If not you could use this regex:</P><LI-CODE lang="markup">\\\\[^\\]+\\[^\\]+\\[^\\]+\\[^\\]+\\[^\\]+\\(?&lt;business_unit&gt;[^\\]+)</LI-CODE><P>&nbsp;</P><P>If you want to include this to props.conf and transforms.conf try something like this:</P><P>props.conf</P><LI-CODE lang="markup">[sourcetype] REPORT-my_fields = business_unit</LI-CODE><P>transforms.conf</P><LI-CODE lang="markup">[business_unit] SOURCE_KEY = source REGEX = one of the above mentioned regex</LI-CODE><P>&nbsp;</P><P>If this helps please upvote my answer.</P><P>Best regards,</P><P>Vincent</P> Tue, 28 Mar 2023 15:39:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-from-values-with-the-source-field/m-p/636348#M108848 vsommer 2023-03-28T15:39:49Z