Solved: Change source file name while indexing

splunkwar · ‎03-30-2020

Hi,

I have a source file something like this Samplefile_Infobar_20200331 and I would like to view the source as Samplefile_Infobar_2020-03-31 on Splunk search head (With hyphens between the yyyymmdd). How to do it.

Thanks

gcusello · ‎03-30-2020

hi @ splunkwar
try something like this:

| makeresults | eval source="Samplefile_Infobar_20200331.log"
| rex field=source "^(?<prefix>.*)(?<year>\d\d\d\d)(?<month>\d\d)(?<day>\d\d)(?<ext>.*)"
| eval source_final=prefix.year."-".month."-".day.ext
| table source source_final

Ciao.
Giuseppe

View solution in original post

gcusello · ‎03-30-2020

hi @ splunkwar
try something like this:

| makeresults | eval source="Samplefile_Infobar_20200331.log"
| rex field=source "^(?<prefix>.*)(?<year>\d\d\d\d)(?<month>\d\d)(?<day>\d\d)(?<ext>.*)"
| eval source_final=prefix.year."-".month."-".day.ext
| table source source_final

Ciao.
Giuseppe

splunkwar · ‎03-30-2020

Thanks @gcusello , is there a way to achieve same before indexing ?
thanks in advance.

gcusello · ‎03-30-2020

hi @splunkwar,
I cannot test it, so try something like this:
transforms.conf

[source_override]
REGEX = ^(.*)_(\d\d\d\d)(\d\d)(\d\d)(.*)
FORMAT = source::$1_$2-$3-$4$5
SOURCE_KEY=MetaData:Source
DEST_KEY = MetaData:Source

props.conf

[your_sourcetype]
REPORT-source = source_override

Ciao.
Giuseppe

splunkwar · ‎03-30-2020

Thanks, it works. 🙂

gcusello · ‎03-30-2020

You're welcome!
See next time!
ciao.
Giuseppe

Change source file name while indexing

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk