Extract fields from filename and put it into event

WXY · ‎07-31-2018

I wang to extract field from event source filename.
The file path format shows:

D:\soft\logs\fv_1_Tom_lab1_20180701.txt

I want get two fields in my events
such as username=Tom; project=lab1

what should I do ?
How can I confige my props.conf and transforms.conf ,I use SplunkForward to forward my data

WalshyB · ‎07-31-2018

You could try this?

props.conf
[your_sourcetype]
EXTRACT-username,project = ^.*?\logs\D+\d_(?[^]+)(?[^_]+) in source

You will need to adjust the regex as I made it pretty quick and it is unlikely to match all the cases you have which you haven't provided.

493669 · ‎07-31-2018

can you show some sample events to understand better
from your explanation you can try:
in props.conf -

[sourcetype_name]
 REPORT-myUniqueClassName = myTransform

in transforms.conf -

[myTransform]
  REGEX = (\w+)=(\w+)
  FORMAT = $1::$2

Are you a member of the Splunk Community?