Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

writing a rex for transforms

gurinderbhatti
Path Finder
‎01-13-2014 12:16 PM

Hello All,
I would appreciate some assistance in writing a transforms stanza.
I am ingesting logs in which both the logname and one of the path directories both have random names. This is causing my source count to go through the roof. See below:

/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920647/AE_BICURCNV_1920647.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920659/AE_BICURCNV_1920659.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920665/AE_BICURCNV_1920665.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920672/AE_BICURCNV_1920672.AET
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920672/AE_BICURCNV_1920672.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920678/AE_BICURCNV_1920678.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920695/AE_BICURCNV_1920695.stdout
/appserv/prcs/FSPRD/log_output/AE_BICURCNV_1920723/AE_BICURCNV_1920723.stdout

As you can see the directory before the log file keeps on changing. I need to write a transform to ignore everything after 'AE' and then the file name.
So it almost would like the following:
/appserv/prcs/FSPRD/log_output/AE/AE.stdout

Can someone help me write the regex for my transforms base file that i can reference which would achieve this. thanks in advance.

Tags (1)
0 Karma
Reply

lukejadamec
Super Champion
‎01-13-2014 12:33 PM

No. You can't do that with a regex. I mean you can create the REGEX, but it will not effect the source overload. The REGEX just tells Splunk which file to 'get'. The determination of Source is something completely different - it is automatic and it is based on the real file path.

What you really want to do is override source. Check out this doc:

http://answers.splunk.com/answers/97128/question-about-override-source-value-for-a-single-input

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...