Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- source name setup with wildcard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Everyone,
Currently i am monitoring the *.log files under a path, i have not given a source name since we dont have a definite source The file names keep on updating
My Inputs.conf
[monitor://[path]\*.log]
disabled = 0
index = test
sourcetype = sourcetypetest
When the data is indexed into splunk, it is giving the source names as "E:\test\Apps\path\EventLogs\MemoCPU\user-MemoCPU.log'' where as i just want to extract the 'user-MemoCPU' field in the source and display in a dashboard panel. Please let me know if its possible
I am building a dashboard panel with below query,
index = test | stats count by source | sort -count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes,
For the first one just extract the user part:
index = test | rex field=source "\\\\(?<source>\w+)-\w+.log$" | stats count by source | sort -count
For the second one:
index = test | rex field=source "\\\\(?<source>\w+)-(?<issue>\w+)\.log$" | table source, issue
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, this worked like a charm.
output is shown as below
source count
user-MemoCPU 1
Is there a way i can show output as just like below
source count
user 1
or
source issue
user MemoCPU
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes,
For the first one just extract the user part:
index = test | rex field=source "\\\\(?<source>\w+)-\w+.log$" | stats count by source | sort -count
For the second one:
index = test | rex field=source "\\\\(?<source>\w+)-(?<issue>\w+)\.log$" | table source, issue
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot, both working fine !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are welcome! Upvotes will be appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use rex to extract the only filename:
index = test | rex field=source "(?<source>[^\\\\]+)\.log$" | stats count by source | sort -count
If this reply helps you, an upvote/like would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
