How to develop a regular expression for my file pa...

cleelakrishna · ‎04-20-2017

How to develop a regular expression for the below paths to update in transforms.conf?

/srv/tomcat7/iiq/logs/sailpoint.log
/srv/tomcat7/iiq/logs/localhost_access_log.2017-04-19.txt
/srv/tomcat7/iiq/logs/catalina.out

Richfez · ‎07-16-2017

cleelakrishna,

If one of the below answers resolved your issue, could you please mark it Accepted? If they both did, Accept the most useful of the answers and upvote the other!

If it did not, please post back with more information or what's not working right so we can help finish this up!

Happy Splunking,
Rich

woodcock · ‎04-20-2017

In props.conf:

[YourSourcetypeHere]
REPORT-filename_from_source = filename_from_source

In transforms.conf:

[filename_from_source]
SOURCE_KEY = source
REGEX = [^\\\/]+$
FORMAT = finename::$1

somesoni2 · ‎04-20-2017

What you want to do with these path in the transforms.conf? Search time or index time?

cleelakrishna · ‎04-20-2017

there is one entry defined for log inputs. this happens to resolve to (at least) 6 different source files. Each unique file type should have a sourcetype, however these are all assigned to a single sourcetype.

I have to create each source type for that source paths

jkat54 · ‎04-20-2017

If you're looking to capture the filenames, try this

 \/src\/tomcat7\/iiq\/logs\/(.*)

Or if you're extracting as a field

 \/src\/tomcat7\/iiq\/logs\/(?<fileName>.*)

How to develop a regular expression for my file paths to update in transforms.conf?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation