https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-information-in-field-source/m-p/27527#M4630 <P>Fantastic Ayn, Thank you for the detailed response!</P> Wed, 07 Aug 2013 19:09:16 GMT zindain24 2013-08-07T19:09:16Z https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-information-in-field-source/m-p/27525#M4628 <P>My webserver logs are sent to my indexers through a Universal Forwarder.</P> <P>*Snippet from inputs.conf on the Universal Forwarder</P> <P>[monitor:///path/to/apache/2.2/web/.../logs/*access_log]</P> <P>disabled = false</P> <P>sourcetype = access_combined</P> <P>index = internet</P> <P>followTail=0</P> <P>With this configuration, we properly set the following fields<BR /> index = internet,<BR /> host = unixservername,<BR /> sourcetype = access_combined</P> <P>The problem is, we need a field with the webserver name in segment 6 of the source:<BR /> /path/to/apache/2.2/web/<STRONG>...</STRONG>/logs/*access_log</P> <P>We tried adding host_segment = 6 to the forwarder stanzas, but then we lose our true "host = unixservername" which is also necessary. Unfortunately, this information is NOT available anywhere but the source field.</P> <P>So....</P> <P>We can easily create a search time |rex for Splunk to process to pull the information:<BR /> |rex field=source "\/path\/to\/apache\/[0-9].[0-9]\/\w+\/(?<WEBSERVER>.*?)\/"</WEBSERVER></P> <P>This works well... however, I don't want my users to have to run this every time they search. </P> <P>I would like the ability to add this as a Index time or Search time extraction through props and transforms -- preferably at the forwarder or indexer level. Any suggestions? Thanks for your help, ideas, and input! I'm stuck...</P> <P>Jeremy</P> Wed, 07 Aug 2013 14:39:01 GMT https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-information-in-field-source/m-p/27525#M4628 zindain24 2013-08-07T14:39:01Z https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-information-in-field-source/m-p/27526#M4629 <P>Just set up a field extraction as usual - are you familiar with how to do this in props.conf / transforms.conf? If so, it's just like a regular field extraction but you specify <CODE>SOURCE_KEY = (yourfieldhere)</CODE> (for REPORT style extractions that reference a transforms.conf entry) or <CODE>EXTRACT = &lt;yourregex&gt; in &lt;yourfieldhere&gt;</CODE> (for EXTRACT style extractions directly in props.conf).</P> <P>So for the first case it'd be something like...props.conf:</P> <PRE><CODE>[yoursourcetype] REPORT-getfieldfromsource = getfieldfromsource </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[getfieldfromsource] SOURCE_KEY = source REGEX = /path/to/apache/[0-9]\.[0-9]/\w+/(.*?)/ FORMAT = webserver::$1 </CODE></PRE> <P>Or, in the second case, just throw your <CODE>rex</CODE> statement in almost unaltered into an EXTRACT extraction in props.conf:</P> <PRE><CODE>[yoursourcetype] EXTRACT-getfieldfromsource = /path/to/apache/[0-9]\.[0-9]/\w+/(?&lt;webserver&gt;.*?)/ in source </CODE></PRE> Wed, 07 Aug 2013 16:45:48 GMT https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-information-in-field-source/m-p/27526#M4629 Ayn 2013-08-07T16:45:48Z https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-information-in-field-source/m-p/27527#M4630 <P>Fantastic Ayn, Thank you for the detailed response!</P> Wed, 07 Aug 2013 19:09:16 GMT https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-information-in-field-source/m-p/27527#M4630 zindain24 2013-08-07T19:09:16Z