Solved: Reference a regex from a source tyoe

williamcharlton · ‎05-30-2019

We have a dozen logs to ingest into Splunk. The log data will be obtained using regular expressions. Based on local conventions, we'll be creating a dozen source types, each named for its corresponding log.

As it turns out, only two regular expressions are needed for the dozen logs, one regular expression for 4 of the logs, and the second regular expression for the other 8 logs.

I don't want to copy and paste the one regular expression into 4 of the source types and the other regular expression into the other 8 source types. Instead, I want to store the two regular expressions in Splunk one time each and then reference each of the two regular expressions from the 12 source types as appropriate.

Is there a way to store the regular expressions in Splunk one time each and then reference them from the 12 source types?

skalliger · ‎06-02-2019

Simply: yes, you're looking for modular regular expressions.

Skalli

View solution in original post

skalliger · ‎06-02-2019

Simply: yes, you're looking for modular regular expressions.

Skalli

Reference a regex from a source tyoe

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Community Spotlight: A Splunk Expert's Journey

Are you a member of the Splunk Community?

Reference a regex from a source tyoe

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Community Spotlight: A Splunk Expert's Journey