Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

writing a rex for transforms

gurinderbhatti
Path Finder
‎01-13-2014 12:16 PM

Hello All,
I would appreciate some assistance in writing a transforms stanza.
I am ingesting logs in which both the logname and one of the path directories both have random names. This is causing my source count to go through the roof. See below:

/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920647/AE_BICURCNV_1920647.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920659/AE_BICURCNV_1920659.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920665/AE_BICURCNV_1920665.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920672/AE_BICURCNV_1920672.AET
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920672/AE_BICURCNV_1920672.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920678/AE_BICURCNV_1920678.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920695/AE_BICURCNV_1920695.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920723/AE_BICURCNV_1920723.stdout

As you can see the directory before the log file keeps on changing. I need to write a transform to ignore everything after 'AE' and then the file name.
So it almost would like the following:
/appserv/prcs/FSPRD/log_output/AE/AE.stdout

Can someone help me write the regex for my transforms base file that i can reference which would achieve this. thanks in advance.

Tags (1)
0 Karma
Reply

lukejadamec
Super Champion
‎01-13-2014 12:33 PM

No. You can't do that with a regex. I mean you can create the REGEX, but it will not effect the source overload. The REGEX just tells Splunk which file to 'get'. The determination of Source is something completely different - it is automatic and it is based on the real file path.

What you really want to do is override source. Check out this doc:

http://answers.splunk.com/answers/97128/question-about-override-source-value-for-a-single-input

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...