https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296783#M56273 <P>yes as @micahkemp suggested try this regex to get separate site name w.r.t. source name,</P> <PRE><CODE>| rex field=source "^/([^/]+/){3}(?&lt;source&gt;[^/]+(?&lt;site&gt;[0-9]+)[^/]+?)/" </CODE></PRE> Sat, 17 Feb 2018 03:38:52 GMT 493669 2018-02-17T03:38:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296779#M56269 <P>I have source below:</P> <PRE><CODE>/prod/app/atm/ATMCHKMI1a/logs/catalina.out /prod/app/atm/ATMCHKMI2a/logs/catalina.out /prod/app/atm/ATMFOTN1a/logs/catalina.out /prod/app/atm/ATMFITNA2a/logs/catalina.out /prod/app/atm/ATMATMASS1a/logs/catalina.out /prod/app/atm/ATMATMASS2a/logs/catalina.out </CODE></PRE> <P>I want the source to display only as an Atmchk1a for first and so on and not the entire path.<BR /> How to do it?</P> Fri, 16 Feb 2018 17:38:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296779#M56269 abhi04 2018-02-16T17:38:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296780#M56270 <P>You can use rex in sed mode:</P> <PRE><CODE>&lt;base search&gt;|rex field=source mode=sed "s/^\/[^\/]+\/[^\/]+\/[^\/]+\/(\w+).*/\1/" </CODE></PRE> <P>OR simply use rex command:</P> <PRE><CODE> &lt;base search&gt;|rex field=source "^\/[^\/]+\/[^\/]+\/[^\/]+\/(?&lt;source&gt;\w+)" </CODE></PRE> <P>try this run anywhere search:</P> <PRE><CODE>|makeresults|eval source="/prod/app/atm/ATMCHKMI1a/logs/catalina.out"|rex field=source mode=sed "s/^\/[^\/]+\/[^\/]+\/[^\/]+\/(\w+).*/\1/" </CODE></PRE> Fri, 16 Feb 2018 17:57:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296780#M56270 493669 2018-02-16T17:57:51Z https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296781#M56271 <P>Thanks, It worked.<BR /> Also, if I want to separate into two site as well i.e. ATMCHKMI1a shows as site 1 and ATMCHKMI2a shows as site 2 and similarly for others. How to do that?</P> Sat, 17 Feb 2018 03:23:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296781#M56271 abhi04 2018-02-17T03:23:22Z https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296782#M56272 <P>I think rex with capture groups would enable you to get the name and site efficiently:</P> <PRE><CODE>| makeresults | eval source="/prod/app/atm/ATMCHKMI1a/logs/catalina.out" | append [| makeresults | eval source="/prod/app/atm/ATMCHKMI2a/logs/catalina.out"] | append [| makeresults | eval source="/prod/app/atm/ATMFOTN1a/logs/catalina.out"] | append [| makeresults | eval source="/prod/app/atm/ATMFITNA2a/logs/catalina.out"] | append [| makeresults | eval source="/prod/app/atm/ATMATMASS1a/logs/catalina.out"] | append [| makeresults | eval source="/prod/app/atm/ATMATMASS2a/logs/catalina.out"] | rex field=source "^/([^/]+/){3}(?&lt;name&gt;[^/]+(?&lt;site&gt;[0-9]+)[^/]+?)/" | eval site="site ".site | table name site &lt;other fields&gt; </CODE></PRE> <P>The regex looks for three path components before the extracted <CODE>name</CODE>, with <CODE>site</CODE> extracted as the last digits of the name.</P> Sat, 17 Feb 2018 03:32:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296782#M56272 micahkemp 2018-02-17T03:32:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296783#M56273 <P>yes as @micahkemp suggested try this regex to get separate site name w.r.t. source name,</P> <PRE><CODE>| rex field=source "^/([^/]+/){3}(?&lt;source&gt;[^/]+(?&lt;site&gt;[0-9]+)[^/]+?)/" </CODE></PRE> Sat, 17 Feb 2018 03:38:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296783#M56273 493669 2018-02-17T03:38:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296784#M56274 <P>Hi Micahkemp,</P> <P>It did not work,</P> <P>We now have got the source as below from the full path which I wanted.<BR /> ATMatmasst1a<BR /><BR /> ATMatmasst2a<BR /><BR /> ATMatmasstportal1a<BR /><BR /> ATMcdprof1a <BR /> ATMcdprof2a <BR /> ATMchkimg1a <BR /> ATMchkimg2a <BR /> ATMchkimgclt1prod<BR /><BR /> ATMciv1a<BR /><BR /> ATMcmprspclt1prod<BR /><BR /> ATMcrdreissueclt1prod<BR /><BR /> ATMcusprof1a<BR /><BR /> ATMcusprof2a<BR /><BR /> ATMdepositjamclt1prod<BR /><BR /> ATMelgbacctflnkg1a<BR /><BR /> ATMelgbacctflnkg2a<BR /><BR /> ATMercpt1a</P> <P>But now I want a table which which shows in a below manner</P> <H2>source site host starttime</H2> <P>where<BR /> ATMcusprof2a is site 2<BR /><BR /> ATMelgbacctflnkg1a is site 1 </P> <P>and so on.....</P> Sat, 17 Feb 2018 03:55:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296784#M56274 abhi04 2018-02-17T03:55:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296785#M56275 <P>Changed it to add the word "site" to the <CODE>site</CODE> field, and added in a table command.</P> Sat, 17 Feb 2018 03:59:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296785#M56275 micahkemp 2018-02-17T03:59:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296786#M56276 <P>Thanks Micahkemp, appreciated your help.</P> Sat, 17 Feb 2018 04:16:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296786#M56276 abhi04 2018-02-17T04:16:51Z https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296787#M56277 <P>HI Micahkemp,</P> <P>Can you please tell me good sites from where I can learn regex?</P> Sat, 17 Feb 2018 04:21:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296787#M56277 abhi04 2018-02-17T04:21:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296788#M56278 <P><A href="https://regex101.com/">https://regex101.com/</A> is a great site to test regexes. As for learning them, I'd have to defer to google on that one, as I don't have a recommendation handy.</P> Sat, 17 Feb 2018 04:22:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296788#M56278 micahkemp 2018-02-17T04:22:51Z https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296789#M56279 <P>@abhi04,<BR /> <CODE><A href="https://regexone.com/" target="test_blank">https://regexone.com/</A></CODE> is also good site to start regex learning</P> Sat, 17 Feb 2018 05:40:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-not-display-the-source-only-as-a-Atmchk1a-for-the-entire/m-p/296789#M56279 493669 2018-02-17T05:40:46Z