topic Re: How To Eval Filename As A New Field? in Splunk Search

How To Eval Filename As A New Field?

vtsguerrero — Fri, 23 Jan 2015 18:53:36 GMT

Shoud it be done in the props.conf stanza at the moment of indexing?
I'm gonna have multiple .txt files indexed and later for a dashboard I need to get these filename to compare each other's values.
Is there a way to create a new field using eval for these filenames?

Thanks in advance!
- Vinicius Guerrero

Re: How To Eval Filename As A New Field?

aweitzman — Fri, 23 Jan 2015 18:56:33 GMT

The filename should show up in the source field, right? Why not just use it from there?

Re: How To Eval Filename As A New Field?

vtsguerrero — Fri, 23 Jan 2015 18:58:58 GMT

But will I be able to table it as a result? Is there any example on how to use it?

Re: How To Eval Filename As A New Field?

aweitzman — Fri, 23 Jan 2015 19:07:59 GMT

It's a field like any other field you might have. You can include it in a table ( table source field1 field2... ), you can use it to group your results ( stats sum(field1) by source ), you can create another field by applying a regex to it ( rex field=source "regex-goes-here" ). Anything you can do with a text field you can do with source.

Re: How To Eval Filename As A New Field?

vtsguerrero — Fri, 23 Jan 2015 19:12:31 GMT

Thanks @awitzman ! it worked!
I thought it wouldn't work for multiple files, but seems ok without a regex.