https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-file-name-from-raw-logs/m-p/656244#M54056 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225066">@aditsss</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 31 Aug 2023 10:54:26 GMT gcusello 2023-08-31T10:54:26Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-file-name-from-raw-logs/m-p/656228#M54052 <P>Hi Team,</P><P><SPAN class="">2023-08-27</SPAN> <SPAN class="">10:34:18.285</SPAN> [<SPAN class="">INFO</SPAN> ] [<SPAN class="">Thread-30</SPAN>] <SPAN class="">TriumphUnbilledProcessor</SPAN> <SPAN class="">-</SPAN> <STRONG><SPAN class="">TRIM.UNBILLED</SPAN> </STRONG><SPAN class=""><SPAN class="">event</SPAN> <SPAN class="">published</SPAN> <SPAN class="">to</SPAN> <SPAN class="">ebnc:</SPAN></SPAN> [{"<SPAN class="">status</SPAN>"<SPAN class="">:</SPAN>"<SPAN class="">SUCCESS</SPAN>","<SPAN class="">description</SPAN>"<SPAN class="">:</SPAN>"<SPAN class="">Event</SPAN> <SPAN class="">saved</SPAN> <SPAN class="">to</SPAN> <SPAN class="">database</SPAN> <SPAN class="">successfully.</SPAN>"}]</P><P>&nbsp;</P><P><SPAN class="">2023-08-27</SPAN> <SPAN class="">07:38:31.688</SPAN><SPAN> [</SPAN><SPAN class="">INFO</SPAN><SPAN> ] [</SPAN><SPAN class="">Thread-31</SPAN><SPAN>] </SPAN><SPAN class="">TriumphCancelTransferProcessor</SPAN> <SPAN class="">-</SPAN> <STRONG><SPAN class="">TRIM.CNX</SPAN></STRONG> <SPAN class=""><SPAN class="">event</SPAN> <SPAN class="">published</SPAN> <SPAN class="">to</SPAN> <SPAN class="">ebnc:</SPAN></SPAN><SPAN> [{"</SPAN><SPAN class="">status</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">SUCCESS</SPAN><SPAN>","</SPAN><SPAN class="">description</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">Event</SPAN> <SPAN class="">saved</SPAN> <SPAN class="">to</SPAN> <SPAN class="">database</SPAN> <SPAN class="">successfully.</SPAN><SPAN>"}]</SPAN></P><P><SPAN>I want to fetch filenames(bold) from row logs:&nbsp;<STRONG><SPAN class="">TRIM.UNBILLED and&nbsp;TRIM.CNX</SPAN></STRONG></SPAN></P><P><SPAN><STRONG><SPAN class="">my current query:</SPAN></STRONG></SPAN></P><P><SPAN class="">index="abc"sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "event published to ebnc:" NOT "Utils -" | rex " event published to ebnc: \[\{\"status\":\"(?&lt;status&gt;.*)\",\"description\":\"(?&lt;description&gt;.*)\"\}\]" | eval message="event published to ebnc"<BR />| table message status description</SPAN></P><P>&nbsp;</P> Thu, 31 Aug 2023 10:09:52 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-file-name-from-raw-logs/m-p/656228#M54052 aditsss 2023-08-31T10:09:52Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-file-name-from-raw-logs/m-p/656231#M54053 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225066">@aditsss</a>,</P><P>please try the following regex:</P><LI-CODE lang="markup">! rex "Triumph.*Processor - (?&lt;field&gt;[^ ]*)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/XNehPc/1" target="_blank">https://regex101.com/r/XNehPc/1</A></P><P>Ciao.</P><P>Giuseppe</P> Thu, 31 Aug 2023 10:13:42 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-file-name-from-raw-logs/m-p/656231#M54053 gcusello 2023-08-31T10:13:42Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-file-name-from-raw-logs/m-p/656236#M54054 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>It will not always&nbsp;</P><P>"Triumph.*Processor</P><P><SPAN class="">CarsUnbilledProcessor</SPAN> <SPAN class="">-</SPAN><STRONG> <SPAN class="">CARS.UNBILLED</SPAN> </STRONG><SPAN class=""><SPAN class="">event</SPAN> <SPAN class="">published</SPAN> <SPAN class="">to</SPAN> <SPAN class="">ebnc:</SPAN></SPAN><SPAN> [{"</SPAN><SPAN class="">status</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">SUCCESS</SPAN><SPAN>","</SPAN><SPAN class="">description</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">Event</SPAN> <SPAN class="">saved</SPAN> <SPAN class="">to</SPAN> <SPAN class="">database</SPAN> <SPAN class="">successfully.</SPAN><SPAN>"}]</SPAN></P><P><SPAN><SPAN class="">CarsDeltaHierarchyProcessor</SPAN> <SPAN class="">-</SPAN> <STRONG><SPAN class="">CARS_HIERARCHY</SPAN></STRONG> <SPAN class=""><SPAN class="">event</SPAN> <SPAN class="">published</SPAN> <SPAN class="">to</SPAN> <SPAN class="">ebnc:</SPAN></SPAN> [{"<SPAN class="">status</SPAN>"<SPAN class="">:</SPAN>"<SPAN class="">SUCCESS</SPAN>","<SPAN class="">description</SPAN>"<SPAN class="">:</SPAN>"<SPAN class="">Event</SPAN> <SPAN class="">saved</SPAN> <SPAN class="">to</SPAN> <SPAN class="">database</SPAN> <SPAN class="">successfully.</SPAN>"}]</SPAN></P><P><SPAN><SPAN class="">2023-08-30</SPAN> <SPAN class="">04:30:48.058</SPAN> [<SPAN class="">INFO</SPAN> ] [<SPAN class="">Thread-43</SPAN>] <SPAN class="">TriumphProductProcessor</SPAN> <SPAN class="">-</SPAN> <STRONG><SPAN class="">TRIM.PRD</SPAN></STRONG> <SPAN class=""><SPAN class="">event</SPAN> <SPAN class="">published</SPAN> <SPAN class="">to</SPAN> <SPAN class="">ebnc:</SPAN></SPAN> [{"<SPAN class="">status</SPAN>"<SPAN class="">:</SPAN>"<SPAN class="">SUCCESS</SPAN>","<SPAN class="">description</SPAN>"<SPAN class="">:</SPAN>"<SPAN class="">Event</SPAN> <SPAN class="">saved</SPAN> <SPAN class="">to</SPAN> <SPAN class="">database</SPAN> <SPAN class="">successfully.</SPAN>"}]</SPAN></P><P><SPAN>Its both CARS and Triumph&nbsp;</SPAN></P><P><SPAN><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;can you provide me regex now.</SPAN></P> Thu, 31 Aug 2023 10:25:50 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-file-name-from-raw-logs/m-p/656236#M54054 aditsss 2023-08-31T10:25:50Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-file-name-from-raw-logs/m-p/656238#M54055 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225066">@aditsss</a>,</P><P>is the processor word always present?</P><P>if yes, please try:</P><LI-CODE lang="markup">! rex "Processor - (?&lt;field&gt;[^ ]*)"</LI-CODE><P>in other words, you have to find a rule to apply to the regex to identify the part to extract.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 31 Aug 2023 10:30:16 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-file-name-from-raw-logs/m-p/656238#M54055 gcusello 2023-08-31T10:30:16Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-file-name-from-raw-logs/m-p/656244#M54056 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225066">@aditsss</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 31 Aug 2023 10:54:26 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-file-name-from-raw-logs/m-p/656244#M54056 gcusello 2023-08-31T10:54:26Z