https://community.splunk.com/t5/Splunk-Search/Extracting-field-from-source-for-indexing/m-p/48684#M11618 <P>Hi,</P> <P>I have to add a field which has to be indexed along with the default fields. I can pick up the value from the Source directory name in the monitored path.</P> <P>For e.g.: inputs.conf:</P> <PRE><CODE>[monitor://c:\splunk-data\...\*] </CODE></PRE> <P>I want the new field 'project_number' value from the directory replacing ... (There are a lot of values for 'project' and all the queries will use the 'project' as a filter, so its better indexed)</P> <P>The problem is I'm not able to extract the field name from the Source. Following is teh configuration files in my app.</P> <P>fields.conf:</P> <PRE><CODE>[project_number] INDEX = True INDEXED_VALUE = False </CODE></PRE> <P>props.conf:</P> <PRE><CODE>[mysourcetype] EXTRACT-... TRANSFORM-FIELDS = get_project_num </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>SOURCE_KEY = Metadata:Source REGEX = C:\\splunk\-data\\([0-9\-]*)\\([0-9\-]*) FORMAT = project_number::"$1" WRITE_META=true </CODE></PRE> <P>The monitor is picking up the new files as I add to test, but the project_number field is never populated.</P> <P>Please let me know if I'm missing something.</P> <P>Thank you, Krishna</P> Sun, 12 Sep 2010 19:29:48 GMT Krishna_R 2010-09-12T19:29:48Z https://community.splunk.com/t5/Splunk-Search/Extracting-field-from-source-for-indexing/m-p/48684#M11618 <P>Hi,</P> <P>I have to add a field which has to be indexed along with the default fields. I can pick up the value from the Source directory name in the monitored path.</P> <P>For e.g.: inputs.conf:</P> <PRE><CODE>[monitor://c:\splunk-data\...\*] </CODE></PRE> <P>I want the new field 'project_number' value from the directory replacing ... (There are a lot of values for 'project' and all the queries will use the 'project' as a filter, so its better indexed)</P> <P>The problem is I'm not able to extract the field name from the Source. Following is teh configuration files in my app.</P> <P>fields.conf:</P> <PRE><CODE>[project_number] INDEX = True INDEXED_VALUE = False </CODE></PRE> <P>props.conf:</P> <PRE><CODE>[mysourcetype] EXTRACT-... TRANSFORM-FIELDS = get_project_num </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>SOURCE_KEY = Metadata:Source REGEX = C:\\splunk\-data\\([0-9\-]*)\\([0-9\-]*) FORMAT = project_number::"$1" WRITE_META=true </CODE></PRE> <P>The monitor is picking up the new files as I add to test, but the project_number field is never populated.</P> <P>Please let me know if I'm missing something.</P> <P>Thank you, Krishna</P> Sun, 12 Sep 2010 19:29:48 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-field-from-source-for-indexing/m-p/48684#M11618 Krishna_R 2010-09-12T19:29:48Z https://community.splunk.com/t5/Splunk-Search/Extracting-field-from-source-for-indexing/m-p/48685#M11619 <P>I think you need to include the [get_project_num] stanza in your transforms.conf. Like this:</P> <PRE><CODE>[get_project_num] SOURCE_KEY = MetaData:Source REGEX = C:\splunk-data\([0-9-])\([0-9-]) FORMAT = project_number::"$1" WRITE_META = true </CODE></PRE> <P>I think your regex may be off too. In your inputs.conf, you're monitoring "c:\splunk-data...*". But your transforms.conf regex includes a slash after c:\splunk-data. That may be correct, but it looks inconsistent with what you typed as your inputs.conf example.</P> <P>Anyways, I hope this helped. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sun, 12 Sep 2010 21:08:35 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-field-from-source-for-indexing/m-p/48685#M11619 Branden 2010-09-12T21:08:35Z https://community.splunk.com/t5/Splunk-Search/Extracting-field-from-source-for-indexing/m-p/48686#M11620 <P>Hey Branden, thanks for your reply, missed to reply yesterday. I have to use the extra slash for escaping the slash - as with standard regex. Otherwise there are varying error messages...</P> Tue, 14 Sep 2010 11:01:54 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-field-from-source-for-indexing/m-p/48686#M11620 Krishna_R 2010-09-14T11:01:54Z https://community.splunk.com/t5/Splunk-Search/Extracting-field-from-source-for-indexing/m-p/48687#M11621 <P>[project_number]<BR /> INDEX = True<BR /> INDEXED_VALUE = False</P> <P>this should be sufficient: </P> <P>[project_number]<BR /> INDEXED = True</P> Mon, 28 Sep 2020 10:22:47 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-field-from-source-for-indexing/m-p/48687#M11621 drrushi_splunk 2020-09-28T10:22:47Z