<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: source name setup with wildcard in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543320#M90717</link>
    <description>&lt;P&gt;You are welcome! Upvotes will be appreciated!&lt;/P&gt;</description>
    <pubDate>Thu, 11 Mar 2021 07:03:01 GMT</pubDate>
    <dc:creator>manjunathmeti</dc:creator>
    <dc:date>2021-03-11T07:03:01Z</dc:date>
    <item>
      <title>source name setup with wildcard</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543296#M90709</link>
      <description>&lt;P&gt;Hi Everyone,&lt;/P&gt;&lt;P&gt;Currently i am monitoring the *.log files under a path, i have not given a source name since we dont have a definite source The file names keep on updating&lt;/P&gt;&lt;P&gt;My Inputs.conf&lt;/P&gt;&lt;P&gt;[monitor://[path]\*.log]&lt;BR /&gt;disabled = 0&lt;BR /&gt;index = test&lt;BR /&gt;sourcetype = sourcetypetest&lt;/P&gt;&lt;P&gt;When the data is indexed into splunk, it is giving the source names as "E:\test\Apps\path\EventLogs\MemoCPU\user-MemoCPU.log'' where as i just want to extract the 'user-MemoCPU'&amp;nbsp;field in the source and display in a dashboard panel. Please let me know if its possible&lt;/P&gt;&lt;P&gt;I am building a dashboard panel with below query,&lt;/P&gt;&lt;P&gt;index = test | stats count by source | sort -count&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 11 Mar 2021 03:58:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543296#M90709</guid>
      <dc:creator>SS1</dc:creator>
      <dc:date>2021-03-11T03:58:41Z</dc:date>
    </item>
    <item>
      <title>Re: source name setup with wildcard</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543313#M90712</link>
      <description>&lt;P&gt;You can use rex to extract the only filename:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index = test | rex field=source "(?&amp;lt;source&amp;gt;[^\\\\]+)\.log$" | stats count by source | sort -count&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If this reply helps you, an upvote/like would be appreciated.&lt;/P&gt;</description>
      <pubDate>Thu, 11 Mar 2021 06:40:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543313#M90712</guid>
      <dc:creator>manjunathmeti</dc:creator>
      <dc:date>2021-03-11T06:40:03Z</dc:date>
    </item>
    <item>
      <title>Re: source name setup with wildcard</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543316#M90714</link>
      <description>&lt;P&gt;Thanks, this worked like a charm.&lt;BR /&gt;&lt;BR /&gt;output is shown as below&lt;/P&gt;&lt;P&gt;source&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;count&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;user-MemoCPU&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; 1&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Is there a way i can show output as just like below&lt;BR /&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;source&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;count&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;user&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;1&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;or&lt;BR /&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;source&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;issue&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;user&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;MemoCPU&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 11 Mar 2021 06:47:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543316#M90714</guid>
      <dc:creator>SS1</dc:creator>
      <dc:date>2021-03-11T06:47:14Z</dc:date>
    </item>
    <item>
      <title>Re: source name setup with wildcard</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543317#M90715</link>
      <description>&lt;P&gt;Yes,&amp;nbsp;&lt;BR /&gt;For the first one just extract the user part:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index = test | rex field=source "\\\\(?&amp;lt;source&amp;gt;\w+)-\w+.log$" | stats count by source | sort -count&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;For the second one:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index = test | rex field=source "\\\\(?&amp;lt;source&amp;gt;\w+)-(?&amp;lt;issue&amp;gt;\w+)\.log$" | table source, issue&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If this reply helps you, an upvote/like would be appreciated.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 11 Mar 2021 06:56:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543317#M90715</guid>
      <dc:creator>manjunathmeti</dc:creator>
      <dc:date>2021-03-11T06:56:14Z</dc:date>
    </item>
    <item>
      <title>Re: source name setup with wildcard</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543318#M90716</link>
      <description>&lt;P&gt;Thanks a lot, both working fine !&lt;/P&gt;</description>
      <pubDate>Thu, 11 Mar 2021 06:58:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543318#M90716</guid>
      <dc:creator>SS1</dc:creator>
      <dc:date>2021-03-11T06:58:58Z</dc:date>
    </item>
    <item>
      <title>Re: source name setup with wildcard</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543320#M90717</link>
      <description>&lt;P&gt;You are welcome! Upvotes will be appreciated!&lt;/P&gt;</description>
      <pubDate>Thu, 11 Mar 2021 07:03:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/source-name-setup-with-wildcard/m-p/543320#M90717</guid>
      <dc:creator>manjunathmeti</dc:creator>
      <dc:date>2021-03-11T07:03:01Z</dc:date>
    </item>
  </channel>
</rss>

