- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: dynamically assign sourcetype on folder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll like to assign the sourcetype on the folder the logs are sitting in
What I have
File location pick up by forwarder
C:\Program Files (x86)\License\Current\test\filename.log
props.conf
[source::C:\\Program Files (x86)\\License\\Current\\*\\*.log]
TRANSFORMS-set_sourcetype = set_sourcetype_from_log_subdir
Transforms.conf
[set_sourcetype_from_log_subdir]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Sourcetype
REGEX = .+\\(.+)\\[^]*
FORMAT = sourcetype::$1
Splunk Returns sourcetype as filename when index
but I want is the folder not the file name so it should return test
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
found the issue was to do with are Props.conf
Props.conf
[source::C:\Program Files (x86)\\Current\\*\\*.log]
should be
[source::...\\Current\\*\\*.log]
everything else was right.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
found the issue was to do with are Props.conf
Props.conf
[source::C:\Program Files (x86)\\Current\\*\\*.log]
should be
[source::...\\Current\\*\\*.log]
everything else was right.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi fredkeiser,
Your regex is missing the double escaped backslashes and you can test it with Splunk's internal regex functions:
splunk cmd pcregextest test_str="C:\Program Files (x86)\LIC\Current\test\filename.log" mregex=".+\\(.+)\\[^\\]*"
returns:
Original Pattern: '.+\(.+)\[^\]*'
Expanded Pattern: '.+\(.+)\[^\]*'
ERROR: Regex: unmatched parentheses
But if you double escape the backslashes it works:
splunk cmd pcregextest test_str="C:\Program Files (x86)\LIC\Current\test\filename.log" mregex=".+\\\(.+)\\\[^\\\]+"
returns:
Original Pattern: '.+\\(.+)\\[^\\]+'
Expanded Pattern: '.+\\(.+)\\[^\\]+'
Regex compiled successfully. Capture group count = 1. Named capturing groups = 0.
SUCCESS - match against: 'C:\Program Files (x86)\LIC\Current\test\filename.log'
#### Capturing group data #####
Group | Name | Value
--------------------------------------
1 | | test
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll try that as well and still returns the file name as the sourcetype. even when you test your regex here http://www.regexr.com/ it shows it should work. But for some reason it doesn't work with Splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh, sorry my bad ! I'll update the answer ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
update done
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help MuS
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
