https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342661#M101488 <P>Sorry I had my question mark in the wrong place.</P> Fri, 21 Apr 2017 12:51:21 GMT jkat54 2017-04-21T12:51:21Z https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342655#M101482 <P>Hi, I am trying to setup a dropdown bar for a dashboard and would like to setup dynamic inputs based on the source log file, as there are many different sites being built and torn down.</P> <P>example source log name:</P> <PRE><CODE>D:\Apache\logs\example.com.au_accessLog_2017-04-20-00_00_00.log </CODE></PRE> <P>I would like to extract "example.com.au" from the above source log file and drop everything else. Then make it a distinct value. This value would then be selectable in the dropdown bar to filter on that site.</P> <P>This is what I've attempted but is not returning what I need.</P> <PRE><CODE>index=example sourcetype=test:access | eval baseurl = mvindex(split(source,"/", -1) | top baseurl </CODE></PRE> <P>Thanks in advance.</P> Thu, 20 Apr 2017 23:50:08 GMT https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342655#M101482 danielsofoulis 2017-04-20T23:50:08Z https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342656#M101483 <P>The following should work for you to extract the part you want from the <CODE>source</CODE> field:</P> <PRE><CODE>index=example sourcetype=test:access | rex field=source "\\(?P&lt;file&gt;[^_\\]+)_[^\\]$" </CODE></PRE> Fri, 21 Apr 2017 00:13:44 GMT https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342656#M101483 cpetterborg 2017-04-21T00:13:44Z https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342657#M101484 <PRE><CODE>...| rex field=source "logs\\(?&lt;fqdn&gt;\S+)_accessLog" | top fqdn </CODE></PRE> Fri, 21 Apr 2017 00:19:38 GMT https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342657#M101484 jkat54 2017-04-21T00:19:38Z https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342658#M101485 <P>Thank you for answering. I ran the search with the rex you provided and got the following error:<BR /> Error in 'rex' command: Encountered the following error while compiling the regex '(?P[^<EM>]+)</EM>[^]$': Regex: missing terminating ] for character class </P> Fri, 21 Apr 2017 00:39:33 GMT https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342658#M101485 danielsofoulis 2017-04-21T00:39:33Z https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342659#M101486 <P>Hi thanks for you help, but I'm also getting an error when I run your rex:<BR /> Error in 'rex' command: Encountered the following error while compiling the regex 'logs(</P> Fri, 21 Apr 2017 00:40:42 GMT https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342659#M101486 danielsofoulis 2017-04-21T00:40:42Z https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342660#M101487 <P>I've managed to get it working using <BR /> rex field=source "\w+\(?P[\w+]+)_accessLog\S+$"| top 20 site</P> Fri, 21 Apr 2017 00:57:59 GMT https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342660#M101487 danielsofoulis 2017-04-21T00:57:59Z https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342661#M101488 <P>Sorry I had my question mark in the wrong place.</P> Fri, 21 Apr 2017 12:51:21 GMT https://community.splunk.com/t5/Splunk-Search/SPL-extract-logfile-name-from-source-field/m-p/342661#M101488 jkat54 2017-04-21T12:51:21Z