topic Re: Field Extraction in Splunk Search

Field Extraction

aknsun — Wed, 30 Sep 2020 04:00:21 GMT

Need some suggestion for field extraction.

Take this as an example:
I have a file path /opt/splunk/var/log/splunk/splunkd.log

There is already a field extraction done for this called file_name.

I would like to do a filed extraction with just the Directory path ( /opt/splunk/var/log/splunk/) and name dir_name.

The problem arises when I try to do a new extraction, as the path is sort of already used by file_name and splunk mentions that I need "To highlight text that is already part of an existing extraction, first turn off the existing extractions"

My doubt here is. If I turn of the existing extraction and then create one for dir_name, would I still be able to use file_name or does that get over-ridden by the new extraction?

Thanks,
AKN

Re: Field Extraction

vnravikumar — Wed, 05 Feb 2020 04:38:08 GMT

Check this

| makeresults 
| eval path="/opt/splunk/var/log/splunk/splunkd.log" 
| rex field=path "(^(?P<dir_name>.+)\/)([^\/]+)$"

| makeresults 
| eval path="/opt/splunk/var/log/splunk/splunkd.log" 
| eval dir_name=replace(path,"(\/[^\/]+)$","")

Re: Field Extraction

to4kawa — Wed, 05 Feb 2020 10:03:50 GMT

| makeresults 
| eval file_name="/opt/splunk/var/log/splunk/splunkd.log" 
| rex field=file_name "(?<dir_name>\/.*\/)"

Hi, how about this?