- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I was wondering how to use a directory name (segment) as an event tag. For example:
C:\bin\code\python\test_system\scoring\results\16\17055079037\some files log files here or in directory's below this.
The system outputs many hundreds of directories at the 17055079037 level. I don't want to segment on host, source, or sourcetype (as I have manually defined these to cut the console spam). I'd just want the 17055079037 level to be reported as an event attribute, so when I open the error log within Splunk, I can readably see that the log file originated from the 17055079037 directory.
I am guessing this is something to do with segmentation, but I don't know how to configure the inputs.conf for this.
Any suggestions gratefully received.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can extract fields from other fields, in this case from source
:
props.conf
[sourcetype, source, or host stanza]
EXTRACT-level = ^(?:[^\\]+\\){8}(?<level>[^\\]+) in source
That would give you a field level
set to the segment after the eighth backslash.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can extract fields from other fields, in this case from source
:
props.conf
[sourcetype, source, or host stanza]
EXTRACT-level = ^(?:[^\\]+\\){8}(?<level>[^\\]+) in source
That would give you a field level
set to the segment after the eighth backslash.