https://community.splunk.com/t5/Splunk-Search/Filter-the-source-file-of-logs-with-quot-rex-quot-command-to/m-p/154333#M43413 <P>That is excellent! It worked like a charm! Thanks to both of you!</P> <P>However, one thing occurred. The output has two separated charts rather than one, and thus I can't stack the results.</P> <P>Any idea?</P> <P>Regards,<BR /> Evang</P> Tue, 07 Oct 2014 12:33:15 GMT evang_26 2014-10-07T12:33:15Z https://community.splunk.com/t5/Splunk-Search/Filter-the-source-file-of-logs-with-quot-rex-quot-command-to/m-p/154330#M43410 <P>Hi users,</P> <P>I automatically import some log-files to Splunk using a script. The naming convention for those files is somehow arbitrary. </P> <P>My aim is to produce a panel depicting the totals of the logs for each file in a stacked manner. Till here we are good.</P> <P>The problem is that the log-file names are pretty awkward and long given the fact that they also reveal the complete path as to where they came from. I want to present to the viewer only the most intuitive part of the log-file name.</P> <P>Here is what I managed to do but it doesn't work as expected. </P> <PRE><CODE>sourcetype=nessus source=*SNMP* earliest=-1mon@mon latest=now signature_id=41028| rex "source.*SNMP public community \((?&lt;area&gt;.*)\)" |chart count(dest_dns) by area </CODE></PRE> <P>I assume that the "source" of the file is not appeared within the log itself, maybe. And that's why I can't filter it with <STRONG><EM>rex</EM></STRONG></P> <P>Are you aware of any other technique that might help me to display only a particular part of the source-name?</P> <P>Regards,<BR /> Evang</P> Tue, 07 Oct 2014 12:05:26 GMT https://community.splunk.com/t5/Splunk-Search/Filter-the-source-file-of-logs-with-quot-rex-quot-command-to/m-p/154330#M43410 evang_26 2014-10-07T12:05:26Z https://community.splunk.com/t5/Splunk-Search/Filter-the-source-file-of-logs-with-quot-rex-quot-command-to/m-p/154331#M43411 <P>Try this for rex. Field can be used to pick any available fields which splunk provides on the left hand side and then the rex expression which you write will be applied on that field.</P> <PRE><CODE>|rex field=source "*SNMP public community \((?&lt;area&gt;.*)\)"" </CODE></PRE> Tue, 07 Oct 2014 12:08:16 GMT https://community.splunk.com/t5/Splunk-Search/Filter-the-source-file-of-logs-with-quot-rex-quot-command-to/m-p/154331#M43411 theouhuios 2014-10-07T12:08:16Z https://community.splunk.com/t5/Splunk-Search/Filter-the-source-file-of-logs-with-quot-rex-quot-command-to/m-p/154332#M43412 <P>You can have <CODE>rex</CODE> match against any field you like, including the <CODE>source</CODE> field. Just use the <CODE>field=</CODE> parameter to <CODE>rex</CODE>.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Rex">http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Rex</A></P> Tue, 07 Oct 2014 12:10:13 GMT https://community.splunk.com/t5/Splunk-Search/Filter-the-source-file-of-logs-with-quot-rex-quot-command-to/m-p/154332#M43412 Ayn 2014-10-07T12:10:13Z https://community.splunk.com/t5/Splunk-Search/Filter-the-source-file-of-logs-with-quot-rex-quot-command-to/m-p/154333#M43413 <P>That is excellent! It worked like a charm! Thanks to both of you!</P> <P>However, one thing occurred. The output has two separated charts rather than one, and thus I can't stack the results.</P> <P>Any idea?</P> <P>Regards,<BR /> Evang</P> Tue, 07 Oct 2014 12:33:15 GMT https://community.splunk.com/t5/Splunk-Search/Filter-the-source-file-of-logs-with-quot-rex-quot-command-to/m-p/154333#M43413 evang_26 2014-10-07T12:33:15Z https://community.splunk.com/t5/Splunk-Search/Filter-the-source-file-of-logs-with-quot-rex-quot-command-to/m-p/154334#M43414 <P>Okay, sorry, false alarm!</P> <P>It was the multi-series mode which I've never played with, and for first time was by default switched on.</P> <P>Many thanks to both!</P> <P>Regards,<BR /> Evang</P> Tue, 07 Oct 2014 12:41:55 GMT https://community.splunk.com/t5/Splunk-Search/Filter-the-source-file-of-logs-with-quot-rex-quot-command-to/m-p/154334#M43414 evang_26 2014-10-07T12:41:55Z