topic Re: extract a name from file location in Splunk Search

extract a name from file location

guru333 — Mon, 29 Apr 2024 23:20:00 GMT

Hi,

How do I extract word "Dev" from below file location

source=/test1/folder1/scripts/monitor/log/env/dev/Error.log

and add some if condition statements like if word=dev,change it to development

word=test,change it to loadtest in splunk query.

Thanks

Re: extract a name from file location

bowesmana — Mon, 29 Apr 2024 23:28:13 GMT

Here's an example you can run in the search window - you are interested in the last two lines : rex statement and the final eval statement.

| makeresults | fields - _time | eval source=split("/test1/folder1/scripts/monitor/log/env/dev/Error.log,/test1/folder1/scripts/monitor/log/env/test/Error.log", ",") | mvexpand source | rex field=source ".*\/(?<env>\w+)\/.*" | eval environment=case(env="dev","development",env="test","loadtest",true(), "unknown:".env)

There are several ways you can assign the name to the environment - if you have lots of environments you can do this from a lookup or just use the case statement.

Re: extract a name from file location

guru333 — Tue, 30 Apr 2024 01:10:02 GMT

Thanks for your response

But my file location is

/test1/folder1/.scripts/monitor/log/env/dev/Error.log

So interested to get both values of

env and dev

Re: extract a name from file location

bowesmana — Tue, 30 Apr 2024 01:28:47 GMT

Not clear what you are saying - your original post says want the word "dev", but you also want the word "env" also?

Is "env" something that can change?

Re: extract a name from file location

guru333 — Tue, 30 Apr 2024 01:38:57 GMT

yes

/test1/folder1/.scripts/monitor/log/env/dev/Error.log

I want

field 1=value of env

field 2=value of dev

as there is scope of this changing later.

Re: extract a name from file location

guru333 — Tue, 30 Apr 2024 02:09:06 GMT

Also

/test1/folder1/scripts/monitor/log/env/dev/Error.log is dynamic source field value and not hardcoded value /test1/folder1/scripts/monitor/log/env/dev/Error.log so I need to integrate index command with makeresults something like this

index="monitoring"

source="/test1/folder1/.scripts/monitor/log/env/dev/Error.log"

extract values of env and dev...that can be dynamic to separate fields.

Re: extract a name from file location

yuanliu — Tue, 30 Apr 2024 05:46:17 GMT

You are making lots of apparently conflicting statements. It is important to illustrate/supplement your problem with sample/mock data and desired results, as well as a plain language statement of the logic between illustrated data and desired results. Can you confirm that you are looking for results like

dev	env	source
dev11	env11	/test1/folder1/scripts/monitor/log/env11/dev11/Error.log
dev21	env21	/test2/folder1/scripts/monitor/log/env21/dev21/Error.log

In other words, you want the second-to-last segment of the path to be in a field (named dev) and the 3rd-to-last segment to be in another field (named env).

If my mind-reading is correct, you can use the following

| eval mvsource = split(source, "/") | eval env = mvindex(mvsource, -3), dev = mvindex(mvsource, -2)

This is the emulation I use to produce the sample data

| makeresults format=csv data="source /test1/folder1/scripts/monitor/log/env11/dev11/Error.log /test2/folder1/scripts/monitor/log/env21/dev21/Error.log" ``` data emulation above ```

Play with it and compare with real data

Re: extract a name from file location

bowesmana — Tue, 30 Apr 2024 07:42:07 GMT

When someone provides you an example using the makeresults command, it is an example you can run to DEMONSTRATE the solution - in my posting I showed the example and said you need the last two lines.

The rex statement extracts fields from data. This will extract "env" and "dev" into fields a and b. Call them what you like

| rex field=source ".*\/(?<a>\w+)\/(?<b>\w+)\/.*"