topic How to get dynamic source name from a request? in Splunk Search

How to get dynamic source name from a request?

batham — Mon, 12 Dec 2022 15:04:13 GMT

Hi Folks ,

I am new to splunk and trying to get dynamic source value from the response, here is my query:

index="itestData" AND source="/opt/ABC/DEF/GHI/KLM/LOG*" AND "error"

Please note that * after LOG is a dynamic value (like LOG-A.log , LOG-B.log, LOG-C.log) and there are at least 70 servers like this, when i get any error i want to know from which log this error is coming (A or B or C and so on) .

Let me know if there is any other way to get this (i do not want to individually put the name of sources as servers go up and down )

Thanks in advance.

Re: how to get dynamic source name from a request?

richgalloway — Mon, 12 Dec 2022 01:17:00 GMT

When you look at the output of that search you should see 'host=', 'source=', and 'sourcetype=' values under each returned event. Those values are exact, without wildcards. You can can include the source field in the output using the table command.

index="itestData" AND source="/opt/ABC/DEF/GHI/KLM/LOG*" AND "error" | table source

Re: how to get dynamic source name from a request?

bowesmana — Mon, 12 Dec 2022 02:13:55 GMT

Use rex to extract the server name from the source, i.e.

| rex field=source ".*LOG-(?<server>.*)"

That will give you a new field name called 'server' - note it captures everything in the source field following LOG-

Then you can do whatever you want with that new field.