https://community.splunk.com/t5/Splunk-Search/Create-a-field-from-the-source/m-p/330871#M98488 <P>Hi,</P> <P>I have created fields from the raw data successfully. However now I need to extract a portion of the source data (which I imported manually into my Splunk running on a Mac) and create one field.<BR /> My source data are actually multiple files that contains log and the machine identifiers is in the source path<BR /> Exemple:<BR /> splunk_data.zip:./var/www/temp/GetOnline/CG1111/MD/LOG.TXT<BR /> splunk_data.zip:./var/www/temp/GetOnline/UV5015/MD/LOG.TXT</P> <P>The correct regex to extract the machine name would be: (?&lt;=ne\/).*?(?=\/MD)</P> <P>I have tried all possible answers from that forum and I could not create a field t.hat would include all my machine names.</P> <P>I was wondering if you guys can shed some light here?</P> <P>Thanks.</P> Tue, 29 Sep 2020 14:20:49 GMT splunkbee 2020-09-29T14:20:49Z https://community.splunk.com/t5/Splunk-Search/Create-a-field-from-the-source/m-p/330871#M98488 <P>Hi,</P> <P>I have created fields from the raw data successfully. However now I need to extract a portion of the source data (which I imported manually into my Splunk running on a Mac) and create one field.<BR /> My source data are actually multiple files that contains log and the machine identifiers is in the source path<BR /> Exemple:<BR /> splunk_data.zip:./var/www/temp/GetOnline/CG1111/MD/LOG.TXT<BR /> splunk_data.zip:./var/www/temp/GetOnline/UV5015/MD/LOG.TXT</P> <P>The correct regex to extract the machine name would be: (?&lt;=ne\/).*?(?=\/MD)</P> <P>I have tried all possible answers from that forum and I could not create a field t.hat would include all my machine names.</P> <P>I was wondering if you guys can shed some light here?</P> <P>Thanks.</P> Tue, 29 Sep 2020 14:20:49 GMT https://community.splunk.com/t5/Splunk-Search/Create-a-field-from-the-source/m-p/330871#M98488 splunkbee 2020-09-29T14:20:49Z https://community.splunk.com/t5/Splunk-Search/Create-a-field-from-the-source/m-p/330872#M98489 <P>Try this.</P> <P>props.conf:</P> <PRE><CODE>[&lt;yoursourcetype&gt;] REPORT-machinename = machinename </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[machinename] SOURCE_KEY = MetaData:Source REGEX = (?&lt;=ne\/)(?&lt;machinename&gt;.*)?(?=\/MD) </CODE></PRE> Thu, 08 Jun 2017 22:54:06 GMT https://community.splunk.com/t5/Splunk-Search/Create-a-field-from-the-source/m-p/330872#M98489 micahkemp 2017-06-08T22:54:06Z https://community.splunk.com/t5/Splunk-Search/Create-a-field-from-the-source/m-p/330873#M98490 <P>Thanks for your answer.</P> <P>I've done what you suggested but it doesn't work. I have three questions:</P> <P>1) There are a lot of props.conf and transforms.conf on my Mac. I created these two files under /Application/Splunk/etc/system/local and I populated them with your inputs above. Is that right?</P> <P>2) In your props.conf above, what would be the correct value for "yoursourcetype"?</P> <P>3) Then what? Restart Splunk? Restart my Mac? Re-index?</P> <P>Thanks</P> Fri, 09 Jun 2017 07:48:19 GMT https://community.splunk.com/t5/Splunk-Search/Create-a-field-from-the-source/m-p/330873#M98490 splunkbee 2017-06-09T07:48:19Z https://community.splunk.com/t5/Splunk-Search/Create-a-field-from-the-source/m-p/330874#M98491 <P>1) Which props/trasnforms files you alter may depend on your other configurations. You can use <A href="http://docs.splunk.com/Documentation/Splunk/6.6.1/Troubleshooting/Usebtooltotroubleshootconfigurations">btool</A> to ensure the configurations you create are being handled as you want them.</P> <P>2) That depends on what sourcetype the data is created with. When you search for this data in your Splunk instance, what do you see for the sourcetype?</P> <P>3) You should not need to re-index, but you should at least perform a debug/refresh (yoursplunkhost:8000/debug/refresh, and click the button that is shown there) to inform Splunk to re-read its configuration.</P> Fri, 09 Jun 2017 15:34:12 GMT https://community.splunk.com/t5/Splunk-Search/Create-a-field-from-the-source/m-p/330874#M98491 micahkemp 2017-06-09T15:34:12Z