Getting Data In

taking the source file path and creating a field

sbattista09
Contributor

if i wanted to take the app_name from the path of the source and create a field via the CLI of the input how would i do that? I know i could rename the source type however, that is not a option. I want to create a new field based off the 4th position of the source path.

source = /foo/app/test/app/app_name/logs/log.log

Tags (2)
0 Karma
1 Solution

rphillips_splk
Splunk Employee
Splunk Employee

You can setup in props.conf of the search head:

example with source stanza:

[source::/opt/log/*/logs]
EXTRACT-inSource = /opt/log/(?<field1>[^/]+)/logs/.* in source

example with sourcetype stanza:

[mysourcetype]
EXTRACT-inSource = /opt/log/(?<field1>[^/]+)/logs/.* in source

View solution in original post

woodcock
Esteemed Legend

Like this:

 ... | rex field=source "^\/(?:[^\/]+\/){3}(?<app_name>[^\/]+)\/"

rphillips_splk
Splunk Employee
Splunk Employee

You can setup in props.conf of the search head:

example with source stanza:

[source::/opt/log/*/logs]
EXTRACT-inSource = /opt/log/(?<field1>[^/]+)/logs/.* in source

example with sourcetype stanza:

[mysourcetype]
EXTRACT-inSource = /opt/log/(?<field1>[^/]+)/logs/.* in source

sbattista09
Contributor

This works well, one last question is, what is the syntax for extracting more fields in source?

putting in in like this only works with the foofoo extraction-
[sourcetypename]
EXTRACT-inSource = ^\/[^\/]+\/[^\/]+\/(?[^\/]+)\/ in source
EXTRACT-inSource = ^\/[^\/]+\/[^\/]+\/[^\/]+\/(?[^\/]+)\/ in source
EXTRACT-inSource = ^\/[^\/]+\/[^\/]+\/[^\/]+\/[^\/]+\/(?[^\/]+)\/ in source

0 Karma

sbattista09
Contributor

I don't want to do this via a inline search.

0 Karma

DalJeanis
Legend

...then combine rphillips suggestion with either mine or woodcock's - use one of our rex codes, with rphillips' suggestion of where to do it.

0 Karma

DalJeanis
Legend

use...

| rex field=source "^\/[^\/]+\/[^\/]+\/[^\/]+\/(?<myfield>[^\/]+)\/"

...or ...

| rex field=source "^\/[^\/]+\/[^\/]+\/[^\/]+\/[^\/]+\/(?<myfield>[^\/]+)\/"

...depending on whether your "fourth" was zero-based or one-based.

Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...