Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

writing a rex for transforms

gurinderbhatti
Path Finder
‎01-13-2014 12:16 PM

Hello All,
I would appreciate some assistance in writing a transforms stanza.
I am ingesting logs in which both the logname and one of the path directories both have random names. This is causing my source count to go through the roof. See below:

/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920647/AE_BICURCNV_1920647.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920659/AE_BICURCNV_1920659.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920665/AE_BICURCNV_1920665.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920672/AE_BICURCNV_1920672.AET
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920672/AE_BICURCNV_1920672.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920678/AE_BICURCNV_1920678.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920695/AE_BICURCNV_1920695.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920723/AE_BICURCNV_1920723.stdout

As you can see the directory before the log file keeps on changing. I need to write a transform to ignore everything after 'AE' and then the file name.
So it almost would like the following:
/appserv/prcs/FSPRD/log_output/AE/AE.stdout

Can someone help me write the regex for my transforms base file that i can reference which would achieve this. thanks in advance.

Tags (1)
0 Karma
Reply

lukejadamec
Super Champion
‎01-13-2014 12:33 PM

No. You can't do that with a regex. I mean you can create the REGEX, but it will not effect the source overload. The REGEX just tells Splunk which file to 'get'. The determination of Source is something completely different - it is automatic and it is based on the real file path.

What you really want to do is override source. Check out this doc:

http://answers.splunk.com/answers/97128/question-about-override-source-value-for-a-single-input

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...