topic Re: How to extract fields from source? in Splunk Search

How to extract fields from source?

karthi2809 — Fri, 25 Oct 2024 09:33:45 GMT

How to extract fields from below source.

/audit/logs/QTEST/qtestw-core_server4-core_server4.log I need extract QTEST as environment qtestw as hostname core_server4 as component core_server4.log as filename

Re: How to extract fields from source?

gcusello — Fri, 25 Oct 2024 09:43:51 GMT

Hi @karthi2809 ,

you can use this regex:

| rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)"

you can test this regex at https://regex101.com/r/0VJvAw/1

Ciao.

Giuseppe

Re: How to extract fields from source?

Jawahir — Fri, 25 Oct 2024 09:50:46 GMT

Try this :

<your_search>|rex field=source "\/audit\/logs\/(?<environment>[^\/]*)\/(?<hostname>[^-]*)\-(?<component>[^-]*)\-(?<filename>.*$)"

------

topic Re: How to extract fields from source? in Splunk Search

How to extract fields from source?

Re: How to extract fields from source?

Re: How to extract fields from source?

If you find this solution helpful, please consider accepting it and awarding karma points !!