https://community.splunk.com/t5/Getting-Data-In/writing-a-rex-for-transforms/m-p/111051#M23296 <P>Hello All, <BR /> I would appreciate some assistance in writing a transforms stanza. <BR /> I am ingesting logs in which both the logname and one of the path directories both have random names. This is causing my source count to go through the roof. See below: </P> <P>/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920647/AE_BICURCNV_1920647.stdout<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920659/AE_BICURCNV_1920659.stdout<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920665/AE_BICURCNV_1920665.stdout<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920672/AE_BICURCNV_1920672.AET<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920672/AE_BICURCNV_1920672.stdout<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920678/AE_BICURCNV_1920678.stdout<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920695/AE_BICURCNV_1920695.stdout<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920723/AE_BICURCNV_1920723.stdout</P> <P>As you can see the directory before the log file keeps on changing. I need to write a transform to ignore everything after 'AE' and then the file name. <BR /> So it almost would like the following: <BR /> /appserv/prcs/FSPRD/log_output/AE/AE.stdout</P> <P>Can someone help me write the regex for my transforms base file that i can reference which would achieve this. thanks in advance.</P> Mon, 28 Sep 2020 15:38:41 GMT gurinderbhatti 2020-09-28T15:38:41Z https://community.splunk.com/t5/Getting-Data-In/writing-a-rex-for-transforms/m-p/111051#M23296 <P>Hello All, <BR /> I would appreciate some assistance in writing a transforms stanza. <BR /> I am ingesting logs in which both the logname and one of the path directories both have random names. This is causing my source count to go through the roof. See below: </P> <P>/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920647/AE_BICURCNV_1920647.stdout<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920659/AE_BICURCNV_1920659.stdout<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920665/AE_BICURCNV_1920665.stdout<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920672/AE_BICURCNV_1920672.AET<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920672/AE_BICURCNV_1920672.stdout<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920678/AE_BICURCNV_1920678.stdout<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920695/AE_BICURCNV_1920695.stdout<BR /> /appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920723/AE_BICURCNV_1920723.stdout</P> <P>As you can see the directory before the log file keeps on changing. I need to write a transform to ignore everything after 'AE' and then the file name. <BR /> So it almost would like the following: <BR /> /appserv/prcs/FSPRD/log_output/AE/AE.stdout</P> <P>Can someone help me write the regex for my transforms base file that i can reference which would achieve this. thanks in advance.</P> Mon, 28 Sep 2020 15:38:41 GMT https://community.splunk.com/t5/Getting-Data-In/writing-a-rex-for-transforms/m-p/111051#M23296 gurinderbhatti 2020-09-28T15:38:41Z https://community.splunk.com/t5/Getting-Data-In/writing-a-rex-for-transforms/m-p/111052#M23297 <P>No. You can't do that with a regex. I mean you can create the REGEX, but it will not effect the source overload. The REGEX just tells Splunk which file to 'get'. The determination of Source is something completely different - it is automatic and it is based on the real file path.</P> <P>What you really want to do is override <CODE>source</CODE>. Check out this doc:</P> <P><A href="http://answers.splunk.com/answers/97128/question-about-override-source-value-for-a-single-input">http://answers.splunk.com/answers/97128/question-about-override-source-value-for-a-single-input</A></P> Mon, 13 Jan 2014 20:33:26 GMT https://community.splunk.com/t5/Getting-Data-In/writing-a-rex-for-transforms/m-p/111052#M23297 lukejadamec 2014-01-13T20:33:26Z