Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Nedd regex help to use part of a filepath as source type

brent_weaver
Builder
‎04-05-2017 05:53 AM

I have a source of /var/log/opscode/desired_sourcetype/current. I need to get the part of the filename that is called "desired_courcetype" via regex. I am almost there, the rewriting is working great. Here is my config:

Props:

[chef:server]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRANSFORMS-update_metadata = autosource

Transforms:

[autosource]
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Source
REGEX = \w+
FORMAT = sourcetype::chef:server:$4

Clearly I am not well versed in regex. So woud would the regex be to capture the 3rd element of the filepath delimited by the /.

Any help is MUCH appreciated!

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-05-2017 06:49 AM

Like this:

[autosource]
SOURCE_KEY = MetaData:Source
REGEX = ^source::(?:/[^/]+){3}/([^/]+)/
FORMAT = sourcetype::chef:server:$1
DEST_KEY = MetaData:Sourcetype
0 Karma
Reply

woodcock
Esteemed Legend
‎04-05-2017 06:51 AM

Deploy to Indexers (or HFs) and restart splunk instances and verify on NEW events (old events will stay broken).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-05-2017 06:12 AM

Hi brent_weaver,
do you want to extract this field at search time or at index time?
at search time you could use a regex like this

\/var\/log\/opscode\/(?<desired_courcetype>[^\/]*)

test it at https://regex101.com/r/8YMnMh/1
Bye.
Giuseppe

Reply

brent_weaver
Builder
‎04-05-2017 06:41 AM

Also inportant to note that "desired_sourcetype" is variable, that is not a static string.

0 Karma
Reply

brent_weaver
Builder
‎04-05-2017 06:20 AM

Guiseppe - I would want it at index time. This config is sitting on a heavy weight forwarder. So if I used that config what would my FORMAT field look like in transforms?

0 Karma
Reply

somesoni2
Revered Legend
‎04-05-2017 06:45 AM

YOu can just use the same REGEX (minus the name capture), i.e. just \/var\/log\/opscode\/([^\/]*) as REGEX in your transforms.conf.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...
Top