How to set source from directory monitor filepath ...

Getting Data In

I have a directory monitor setup like below:

[monitor://some/path/to/my/DATA/*]
disabled = false
host_regex = (\w+)-\w+\.log\..*$
index = this_data_index
sourcetype = some_sourcetype

The log files that I am monitoring in this directory are day-of-the-week log files (i.e. fooBar.log.mo, fooBar.log.tu, etc.). Currently, the source is being set to the default path some/path/to/my/DATA/helloWorld-text.log.mo but what I would like to do is strip off the day extension so that my source would be some/path/to/my/DATA/helloWorld-text.log regardless of which day file it loaded.

I've been looking around but have yet to find an answer that really applies to my situation. Any help would be greatly appreciated!

Get Updates on the Splunk Community!

How to set source from directory monitor filepath inputs.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation