Getting Data In

source name setup with wildcard

SS1
Path Finder

Hi Everyone,

Currently i am monitoring the *.log files under a path, i have not given a source name since we dont have a definite source The file names keep on updating

My Inputs.conf

[monitor://[path]\*.log]
disabled = 0
index = test
sourcetype = sourcetypetest

When the data is indexed into splunk, it is giving the source names as "E:\test\Apps\path\EventLogs\MemoCPU\user-MemoCPU.log'' where as i just want to extract the 'user-MemoCPU' field in the source and display in a dashboard panel. Please let me know if its possible

I am building a dashboard panel with below query,

index = test | stats count by source | sort -count

 

 

Tags (1)
0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

Yes, 
For the first one just extract the user part:

index = test | rex field=source "\\\\(?<source>\w+)-\w+.log$" | stats count by source | sort -count

 

For the second one:

index = test | rex field=source "\\\\(?<source>\w+)-(?<issue>\w+)\.log$" | table source, issue

 

If this reply helps you, an upvote/like would be appreciated.

 

View solution in original post

SS1
Path Finder

Thanks, this worked like a charm.

output is shown as below

source                       count

user-MemoCPU        1

 

Is there a way i can show output as just like below

source                       count

user       1

or

source                       issue

user                       MemoCPU        

 

 

 

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Yes, 
For the first one just extract the user part:

index = test | rex field=source "\\\\(?<source>\w+)-\w+.log$" | stats count by source | sort -count

 

For the second one:

index = test | rex field=source "\\\\(?<source>\w+)-(?<issue>\w+)\.log$" | table source, issue

 

If this reply helps you, an upvote/like would be appreciated.

 

SS1
Path Finder

Thanks a lot, both working fine !

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

You are welcome! Upvotes will be appreciated!

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

You can use rex to extract the only filename:

index = test | rex field=source "(?<source>[^\\\\]+)\.log$" | stats count by source | sort -count

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...