Developing for Splunk Enterprise

remove path from source to only show file name for file monitor input

Skins
Path Finder

Is there a way at input time to omit the path of the file monitor to leave only the file names ?

path monitored :

/opt/csv/*

in the location - the files ..

filenameA.csv
filenameB.csv
filenameC.csv
filenameD.csv

but the source is alway prepended with the path.

/opt/csv/filenameA.csv
/opt/csv/filenameB.csv

can this be removed at input ?

gratzi

Tags (1)
0 Karma

vishaltaneja070
Motivator

Hello @Skins,

This can be done at Parsing time using transforms.conf
[replacedefaultsource]
SOURCE_KEY = MetaData:Source
REGEX = \/opt\/csv\/(\w+.\w+)
DEST_KEY = MetaData:Source
FORMAT= source::$1

0 Karma

Skins
Path Finder

tried this exactly as above in transforms.conf and had no effect

splunk was restarted.

0 Karma

vishaltaneja070
Motivator

did you call it through props.conf?

Like:
[your_sourcetype]
TRANSFORMS-sourcename= replacedefaultsource

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.