remove path from source to only show file name for...

Skins · ‎01-30-2019

Is there a way at input time to omit the path of the file monitor to leave only the file names ?

path monitored :

/opt/csv/*

in the location - the files ..

filenameA.csv
filenameB.csv
filenameC.csv
filenameD.csv

but the source is alway prepended with the path.

/opt/csv/filenameA.csv
/opt/csv/filenameB.csv

can this be removed at input ?

gratzi

vishaltaneja070 · ‎01-30-2019

Hello @Skins,

This can be done at Parsing time using transforms.conf
[replacedefaultsource]
SOURCE_KEY = MetaData:Source
REGEX = \/opt\/csv\/(\w+.\w+)
DEST_KEY = MetaData:Source
FORMAT= source::$1

Skins · ‎01-31-2019

tried this exactly as above in transforms.conf and had no effect

splunk was restarted.

vishaltaneja070 · ‎01-31-2019

did you call it through props.conf?

Like:
[your_sourcetype]
TRANSFORMS-sourcename= replacedefaultsource

remove path from source to only show file name for file monitor input

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

remove path from source to only show file name for file monitor input

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey