https://community.splunk.com/t5/Getting-Data-In/How-do-i-extract-data-from-my-event-source-filename/m-p/370515#M67232 <P>I have multiple logfiles like TEST_SRC_FR.txt, TEST_SRC_IN.txt, TEST_SRC_AU.txt which are my source files. Now i want to extract the last two letters like "FR" from TEST_SRC_FR.txt.</P> <P>Any idea how to get them during search time.</P> <P>Regards,</P> <P>Pradipta</P> Tue, 29 Sep 2020 18:02:22 GMT pradiptam 2020-09-29T18:02:22Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-extract-data-from-my-event-source-filename/m-p/370515#M67232 <P>I have multiple logfiles like TEST_SRC_FR.txt, TEST_SRC_IN.txt, TEST_SRC_AU.txt which are my source files. Now i want to extract the last two letters like "FR" from TEST_SRC_FR.txt.</P> <P>Any idea how to get them during search time.</P> <P>Regards,</P> <P>Pradipta</P> Tue, 29 Sep 2020 18:02:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-extract-data-from-my-event-source-filename/m-p/370515#M67232 pradiptam 2020-09-29T18:02:22Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-extract-data-from-my-event-source-filename/m-p/370516#M67233 <P>try this run anywhere search:</P> <PRE><CODE>| makeresults |eval _raw="TEST_SRC_FR.txt"|rex ".*_(?&lt;name&gt;\w{2})" </CODE></PRE> <P>in your case you can use as</P> <PRE><CODE>index=&lt;indexname&gt;| rex field=source ".*_(?&lt;name&gt;\w{2})" </CODE></PRE> <P>also you can make this regex in props.conf</P> Thu, 08 Feb 2018 19:02:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-extract-data-from-my-event-source-filename/m-p/370516#M67233 493669 2018-02-08T19:02:12Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-extract-data-from-my-event-source-filename/m-p/370517#M67234 <P>Sure!</P> <PRE><CODE>... | rex field=source "(?&lt;LastTwoLetters&gt;..)\.txt$" </CODE></PRE> <P>That assume they're the literal field <CODE>source</CODE> and that they ALWAYS end with "txt". </P> <P>Modifications can be made for other similar scenarios, but you'll have to be very specific in describing them. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Happy Splunking,<BR /> Rich</P> Thu, 08 Feb 2018 19:04:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-extract-data-from-my-event-source-filename/m-p/370517#M67234 Richfez 2018-02-08T19:04:21Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-extract-data-from-my-event-source-filename/m-p/370518#M67235 <P>Great its working fine for me.</P> <P>regards,<BR /> Pradipta</P> Fri, 09 Feb 2018 05:53:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-extract-data-from-my-event-source-filename/m-p/370518#M67235 pradiptam 2018-02-09T05:53:52Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-extract-data-from-my-event-source-filename/m-p/370519#M67236 <P>Thanks its also working, checking which one to use in my program</P> <P>Regards,<BR /> Pradipta</P> Fri, 09 Feb 2018 05:54:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-extract-data-from-my-event-source-filename/m-p/370519#M67236 pradiptam 2018-02-09T05:54:43Z